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ABSTRACT 


The security of a network depends on how its design fulfils the 
organization’s security policy. One aspect of security is reachability: whether two 
hosts can communicate. Network designers and operators face a very difficult 
problem in verifying the reachability of a network, because of the lack of 
automated tools, and calculations by hand are impractical because of the often 


sheer size of networks. 


The reachability of a network is influenced by packet filters, routing 
protocols, and packet transformations. A general framework for calculating the 
joint effect of these three factors was published recently. This thesis partially 
validates that framework through a detailed Java implementation, with the 
creation of an automated solution which demonstrates that the effect of statically 
configured packet filters on the reachability upper bounds of a network can be 
computed efficiently. The automated solution performs its computations purely 
based on the data obtained from parsing router configuration files. Mapping all 
packet filter rules into a data structure called PacketSet, consisting of tuples of 
permitted ranges of packet header fields, is the key to easy manipulation of the 
data obtained from the router configuration files. This novel approach facilitates 
the validation of the security policies of very large networks, which was 
previously not possible, and paves the way for a complete automated solution for 
static analysis of network reachability. 
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I. INTRODUCTION 


Computer networks [1] today carry many different types of data, and 
support a myriad of applications such as teleconferencing, streaming audio and 
video, electronic commerce, electronic mail, the World Wide Web, instant 
messaging, file sharing, distributed computing, and digital libraries, just to name 
afew. The backbone of a network [2] consists of a collection of packet switches 
(commonly known as routers) and links. A link can either be of the point-to-point 
(e.g., direct connection between two nodes), or the multiple-point access (e.g., 
Ethernet, packet radio) variety. 


There are different interest groups concerned with a network: the common 
ones are the network provider (or manager), network designer, network operator, 
application programmer, and user. The network provider is usually responsible 
for administration and management of the network, as well as specifying a 
security policy that protects the integrity of the network. The network designer 
would build the network to support user requirements, ensure that network 


resources are utilized efficiently, and fulfill the security policy requirements. 


Network design is driven by policy. The design has to fulfill a given set of 
objectives and constraints. In order to achieve these objectives and constraints, 
network designers have a vast range of options available to them. Practically, it 
involves the specification of packet filters, routing policies, and link weights, 
among others. There are many ways to design a network that fulfils the policy- 


specified objectives and constraints. 


Knowing the reachability of a network is an important and complex 
practical problem that affects network designers and policy makers of an 
organization. It is crucial that network programmers accurately build and maintain 
a network that fulfils the security policy of the organization. Based on 
information from networking research literature, not many efforts have been 


made in the area of reachability analysis. 


It is a daunting task to try to determine host level reachability, i.e., what 
kinds of packets can be exchanged between two hosts in a network. Two hosts 
may be able to exchange packets because it was intentionally designed as such, 
or it could be due to a mistake (configuration or design). Knowing whether 
packets can be exchanged between two hosts in a network is crucial to building a 


secure network. 


One common technique for determining reachability is to use tools (e.g., 
traceroute, ping) that experimentally test the reachability between two hosts. 
Manual static analysis, which involves calculating the static reachability of a 
network by hand (either through the use of the above-mentioned tools’ results, or 
by poring over a network’s design), is usually impractical because of the often 
sheer size of the network, in terms of the number of routers it contains. How to 
automate static reachability analysis is the focus of this thesis. 

A. OBJECTIVE 

Earlier research into this area has yielded a manual technique that defines 
the potential reachability of a network and computes the transitive closure of set 
union and intersection operations on reachability set representations. It is a very 
tedious process to apply this technique to large networks, and/or multiple 
networks. Thus there is an impetus to develop an automated solution that can be 


used to analyze networks of any size. 


This research will delve into the implementation of the automated static 
analysis of a network, adding on to the work already done in developing both a 
tractable framework [8] for reasoning about a network’s reachability, and the 
algorithms for computing reachability bounds. There is no known solution 
available that is capable of determining the static reachability of a network from 
just parsing the router configuration files, and hence verifying that the security 
policy is enforced. It is very difficult to verify that the security policy holds, given 
that router configuration changes occur rather often. 


In this thesis, efforts were taken to automate the process of static 
reachability analysis in order for quick and easy verification of a network’s 


2 


security policy. The static analysis will make use of a snapshot of a network’s 
router configuration files and as such can be considered a white-box approach’. 
Static analysis is performed in particular on the access control lists (ACLs) and 
interface configurations stored within these router configuration files. Suitable 


data structures and algorithms must be created for this purpose. 


The thesis aims to develop an automated solution that will, in many cases, 
be able to validate a network’s security policies through static analysis of its 
configuration. Based on current knowledge of efforts in this field, such an 
undertaking has not been done on a comparable level, and this will be a 
significant contribution of this thesis. This research will pave the way for future 
attempts to address dynamic network states that will impact the reachability 
problem, and to perform “what-if” analysis of failure scenarios. 

B. WHY STATIC ANALYSIS 

IP networks are the backbone of the Internet and are also used in many 
private enterprise networks. Networking professionals are not only concerned 
with the physical topology of these networks (comprising routers and the links 
between them), but must also deal with the nontrivial task of configuring the 
mechanisms that affect communications between hosts. These mechanisms 
refer to the packet filters, routing protocols and packet transformations that are 
handled by the routers on the IP networks. Consequently, the reachability of a 
network is affected by the above-mentioned mechanisms [3]. 


Packet filters represent the easiest way to control reachability, and they 
are widely used by network designers and operators to control the flow of wanted 
or unwanted packets in the data plane. There is a wide variety of options that 
can be configured in each packet filter, e.g.,, IP addresses, ports used, protocols 
used. As a result of the many ways in which packet filters can be configured, it is 
easy for network operators to misconfigure them. Misconfiguration of packet 
filters can also be attributed to the difficulty in managing packet filters across an 


1 A white-box approach means the person working on the problem has a complete view 
(internal and external) of the system being worked upon, vis-a-vis a black-box approach where 
only the external system view is known. 
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entire network, especially large ones. It is difficult to envisage the impact and 
logic of packet filters across the network without a proper tool that can perform 
such analysis across the entire network. As a result, it becomes hard for network 
operators to say with absolute confidence that their network configuration 


satisfies the security policy in its entirety. 


Routing protocols affect the paths that packets will traverse across a 
network. A router can learn routes either by having information on directly 
connected links, being configured with static routes, or dynamically exchanging 
routing information with other routers. The dynamic exchange of routing 
information is governed through the use of routing protocols. All these influence 
reachability because they affect the entries that make up a router’s forwarding 
table. 


Another aspect of reachability is influenced by packet transformations. 
The header fields that affect the decisions that routers make with respect to 
packet filtering and forwarding of each packet may change as the packet 


traverses the network. 


Packet filters are static, in the sense that they remain relatively 
unchanged, and can usually be changed only by a network operator, as opposed 
to dynamic changes caused by fluctuations in the network. 


Thus it is a natural step to first begin with the development of a tool that 
can automatically perform static analysis of a network based on packet filters, 
since packet filter use is so prevalent, and has a large impact on the reachability 
of a network. 


Router configuration files, which are stored in each router, contain 
information on the complete set of router commands at a particular moment in 
time. These files contain packet filter configurations and interface configurations, 
among other information. Hence, white-box analysis can be performed on these 


router configuration files. 


C. RESEARCH QUESTIONS 

What would be a suitable automated solution to determine the static 
reachability of a network? Subordinate issues include: 

a. What is the framework for computing reachability bounds? 


b. How can the above framework be applied to a static description of 
a deployed network? 


C. What is a suitable data structure for representing standard and 
extended ACLs that enables rapid analysis to be carried out? 


d. How can a complex network model be reduced into a simple one 
for analysis? 


e. How can the technique be used for computing finer-grain 
reachability bounds (e.g., consider only a subset of packets)? 


D. ORGANIZATION 

The organization of the thesis is as follows: Chapter II provides an 
overview of the reachability problem in IP networks, and a discussion of related 
research that includes industry efforts. Chapter Ill covers the approach taken in 
finding a solution to the static part of the reachability problem, and explores the 
techniques developed. Chapter IV outlines the implementation process, and 
highlights measures taken to ensure the success of the solution. It also takes a 
look at the results of the system operating with real-world data. Chapter V 
synopsizes this thesis effort and provides recommendations for follow-up 
research. 
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ll. BACKGROUND 


This chapter considers the implications of the use of the Cisco 
Internetwork Operating System (IOS), which is the software controlling Cisco 
network devices. Cisco has been the clear market leader in routers and 
switchers for many years, and continues to dominate the market, over industry 
rivals such as Juniper Networks. In 2006, Cisco held 75% of the market share in 
routers, and 71% of the market share in switches [4]. Hence it makes sense to 
focus our attention on |OS compatible router configuration files. 


After examining the scope of the problem, a short discussion of related 
research and industry efforts follows. Many network researchers have realized 
the importance of packet filters, and have dedicated efforts towards developing 
better classification algorithms, or improved filtering algorithms, among other 
ideas. 

A. CISCO IOS 

There are many different versions of the Cisco IOS. As of November 
2006, the version number is Release 12.4. There are many features provided by 
the Cisco IOS, but the functionalities that this research will be referring to are the 
interface and ACL configuration aspects. This section will detail the inner 
workings of the Cisco IOS with respect to router configuration files. 

1. Router Hostname 

Each router configuration file will generally contain a keyword hostname. 
The word after the hostname keyword specifies the router name which should be 


unique per router. 


hostname router-name 
Example. hostname router.gw 


The above example denotes a router with the name of router.gw. 
2. Interface Configuration 
The interface section begins with the keyword interface. Each 
interface on the router will have its own section, beginning with the interface 
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keyword. There is no keyword to denote the end of each interface section, but 
another keyword denotes the start of another section, e.g., router which denotes 
the start of a routing protocol section. 

a. Interface Name 

The word following the interface keyword is the interface name. 
That line is usually followed by a description of the interface, which begins with 


the keyword description. The syntax is as follows: 
interface interface-name 
Example. interface Vian 
The above example denotes an interface known as Vlan1. 
Example. interface Ethernet3/1 


The above example refers to the first interface on the Ethernet 
device in slot 3 (the fourth slot on the router). 

b. Interface IP Address 

The ip address and subnet mask of the interface follows on another 


line, which begins with jp address, the syntax of which is as follows: 
ip address ip-address subnet-mask 


Example. ip address 120.2.1.0 255.255.255.192 


The above example denotes an interface with the IP address of 
120.2.1.0, and a subnet mask of 255.255.255.192. This means that other routers 
with interface IP address of 120.2.1.1, 120.2.1.2 through 120.2.1.63 are on the 
same subnet, and hence, are its neighbors. 

Cc. ACL Activation 

Under each interface, one or more ACL can be activated for packet 
filtering. In the absence of ACLs, all packets will be allowed. An ACL can be 
applied on the inbound or outbound queue. Such specification begins with jp 
access-group. The syntax is as follows: 


ip access-group access-list-number {in|out} 
Example. ip access-group 101 in 


The above example denotes an interface filtering on the incoming 
interface, using ACL 101, which is specified later in the router configuration file. 
If no ACLs are activated on an interface, all packets are permitted through it. 

3. Access Control List Definition 

ACL entries are processed sequentially in the order that they are stored. 
Packets are compared against the first entry, then against the second entry if it 
doesn’t match the first, and so on. The search continues until a match is 
reached, after which the subsequent ACL rules are not processed. If none of the 
rules are a match, the traffic is denied, because there is an implicit “deny all” rule. 
Hence, the order of the ACL entries are a very important consideration as each 
rule is either an explicit deny or permit action. Cisco IOS permits different types 
of ACLs [5], as shown below: 

a. Standard ACLs 

Standard ACLs were introduced in Cisco IOS Software Release 
8.3. They filter traffic based on the source address in IP packets, in comparison 
to the source address configured in the ACL. The syntax [6] of the standard 
ACL is as follows: 


access-list access-list-number {deny | permit} source 





[source-wildcard] [log] 
Example. access-list 1 permit 100.10.1.0 0.0.0.255 


The above example shows a standard ACL that permits traffic from 
source 100.10.1.x. 


The access-list number can be any number from 1 to 99. The 
numbers 1300 to 1399 were added to the standard ACL range in Cisco IOS 


Software Release 12.0.1. 


A source/source-wildcard setting of 0.0.0.0/255.255.255.255 can be 
specified as any. If the wildcard is all zeros (0.0.0.0), it can be omitted. 
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host 100.10.1.1 0.0.0.0 
is the same as 


host 100.10.1.1 
b. Extended ACLs 
Extended ACLs were also introduced in Cisco IOS Software 
Release 8.3. They are an extension of the standard ACLs, and filter traffic based 
on the source and destination addresses in IP packets, in comparison to that 
configured in the ACL. The syntax [6] for the extended ACLs are shown below. 


The general syntax for IP packets is as follows: 


access-list access-list-number [dynamic dynamic-name 
[timeout minutes]] {deny | permit} protocol source source- 


wildcard destination destination-wildcard [precedence 





precedence] [tos tos] [log | log-input] [time-range time- 


range-name] [fragments] 


For Internet Control Message Protocol (ICMP), the syntax is: 


access-list access-list-number [dynamic dynamic-name 
[timeout minutes]] {deny | permit} icmp source source- 


wildcard destination destination-wildcard [icmp-type | 





[Licmp-type icmp-code] | [icmp-message]] [precedence 
precedence] [tos tos] [log | log-input] [time-range time- 


range-name] [fragments] 


For Internet Group Message Protocol (IGMP), the syntax is: 


access-list access-list-number [dynamic dynamic-—name 
[timeout minutes]] {deny | permit} igmp source source- 


wildcard destination destination-wildcard [igmp-type] 





[precedence precedence] [tos tos] [log | log-input] [time- 


range time-range-name] [fragments] 
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For Transmission Control Protocol (TCP), the syntax is: 


access-list access-list-number [dynamic dynamic-name 
[timeout minutes]] {deny | permit} tep source source- 
wildcard [operator [port]] destination destination-wildcard 
[operator [port]] [established] [precedence precedence] 
[tos tos] [log | log-input] [time-range time-range-name] 


[fragments] 
For User Datagram Protocol (UDP), the syntax is: 


access-list access-list-number [dynamic dynamic-name 


[timeout minutes]] {deny | permit} udp source source- 





wildcard [operator [port]] destination destination-wildcard 
[operator [port]] [precedence precedence] [tos tos] [log | 


log-input] [time-range time-range-name] [fragments] 


The extended access-list number can be any number from 101 to 
199. The numbers 2000 to 2699 were added to the range in Cisco IOS Software 
Release 12.0.1. 

Cc. Lock and Key (Dynamic ACLs) 

Lock and Key ACLs were introduced in Cisco IOS Software 
Release 11.1. They are dependent on Telnet, authentication (local or remote) 
and extended ACLs. To use Lock and Key ACLs, the extended ACL must first 
block traffic through the router. Users of the router must Telnet to the router and 
authenticate themselves. After authentication, the router adds a single-entry 
dynamic ACL to the extended ACL, which permits traffic for a specific time 
period. It is possible to define idle and absolute timeouts. The extended ACL 
must contain the keyword dynamic. 

d. IP Named ACLs 

The feature of using names instead of numbers (access-list- 
number) for standard and extended ACLs was added in Cisco IOS Software 


Release 11.2. The syntax for IP named ACLs is as follows: 


ip access-list {extended | standard} name 
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e. Reflexive ACLs 

Reflexive ACLs were introduced in Cisco IOS Software Release 
11.3. Reflexive ACLs allow IP packets to be filtered based on upper-layer 
session information. They are generally used to allow outbound traffic and to limit 
inbound traffic in response to sessions that originate inside the router. 


Reflexive ACLs can be defined only with extended named IP ACLs. 
They cannot be defined with numbered or standard named IP ACLs, or with other 
protocol ACLs. However, reflexive ACLs can be used in conjunction with other 
standard and static extended ACLs. 

f. Time-Based ACLs 

Time-based ACLs were introduced in Cisco l1OS Software Release 
12.0.1.T. They give users flexibility in access control in the time dimension. 
Time restrictions are imposed on the time function, and rely on the router system 
clock, although Cisco states that the use of Network Time _ Protocol 
synchronization would be best. This feature is invoked in extended ACLs by 
specifying the [time-range time-range-name] option. 

g- Commented IP ACL Entries 

Commented IP ACL entries were introduced in Cisco IOS Software 
Release 12.0.2.T. With comments, ACLs become easier to understand, just like 
the use of comments in regular programming languages. Commented IP ACL 
entries can be used in standard and extended ACLs. The syntax for comments 
is: 

ip access-list {standard| extended} name remark remark 


for named ACLs, and the following is for regular numbered ACLs: 


access-list access-list-number remark remark 
h. Other Forms of Access Control 
There are also other forms of access control, albeit more 
specialized in nature. There is the Context-based Access Control (CBAC) 
which inspects all traffic and maintains state information for TCP and UDP 


sessions. Authentication proxies can be set up in firewalls to enable 
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authentication for inbound and/or outbound users. Turbo ACLs can be found in 
high-end routers, for the purpose of improving router performance, by processing 
ACLs more efficiently. There are also Distributed Time ACLs, which allow time- 
based ACLs on Cisco VPN-enabled 7500 series routers. Receive ACLs 
improve security on Cisco 12000 series routers. Infrastructure Protection 
ACLs are used to protect infrastructure equipment by permitting only authorized 
traffic to them (permitting all transit traffic too). Transit ACLs improve network 
security by explicitly permitting only necessary traffic into the network. 

4. Miscellaneous 

More information on how to configure and use ACLs can be found at the 
Cisco website [5-7]. 
B. RELATED RESEARCH 

There has been a significant amount of work carried out by networking 
researchers in relation to packet filtering. However, little work seems to have 
been done on tackling the reachability problem, as there has been little literature 
available on the matter. Nonetheless, some of the results of the efforts on packet 
filtering are useful in the quest for a workable solution to the reachability problem. 
This section will outline some of the relevant research performed in the packet 
filtering arena. 

Ae Use of Network Security Tools 

There are many different network security tools on the market that can 
perform network vulnerability testing. According to [8], some of the popular ones 
are Nessus, Snort, Metasploit framework, ping, and traceroute, among others. 
The problem with these tools is that they require a live network on which to work. 
Hence, they are not useful as a design tool. Furthermore, they operate at a low 
level, and are not able to provide network designers/operators with a high-level 
view of the network’s security. 

2. Detecting and Resolving Packet Filter Conflicts 

Reference [9] tackles the problem of filter conflict and resolution. The 


authors studied how filter conflicts arise, and proved that (then) existing conflict 
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resolution schemes based on filter ordering were not always effective. They 
developed a system based on adding new filters that could be applied in all 


Cases. 


The paper uses the concept of depicting a filter F as a k-tuple (F[1], F[2], 
..., F[k]), where each field F[i] is a prefix bit string (map) that denotes a range of 
addresses or field values. A filter that processes on only IP source addresses 
would be classified as a 1-tuple; a filter that processes on both IP source and 
destination addresses would be classified as a 2-tuple; and so on. Typically, 
filters are crafted to range from 1-tuple to 5-tuple. A 5-tuple filter would process 
on IP source and destination addresses, source and destination ports, as well as 
the packet’s protocol field. This concept of representing filters is not new, and 
had already been explored in previous research. Nonetheless, the k-tuple 
representation of packet filters presents a convenient way of denoting these 
filters. 


The approach towards solving filter conflicts is to add resolve filters for 
each pair of conflicting filters. Simply put, if two filters, F and G, are in conflict, 
then a new (resolve) filter H is introduced, where H = F {) G. This idea is 
important, because having overlapping packet filters not only creates problems 
with respect to satisfying policy, but also in terms of efficiency, in having to 
process the same area multiple times. 

3. Access Control List Analysis (ACLA) 

In the ACLA framework [10], ACL analysis was automated, providing 
functionalities such as allowing detection and removal of redundant rules, 
discovery and repair of inconsistent rules, as well as merging of 
overlapping/adjacent rules. It also enabled translating a complex ACL (of both 
permits and denies) into a form consisting of only either permits or denies. The 
ACLA framework was topped off with a feature that could compute a meta-ACL 


profile based on all ACLs along a network path. 


A dynamic multidimensional interval tree-based approach was adopted, 
with four dimensions of a packet filter considered: source and destination 
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addresses, protocol and port number. The first two were ranges, while the latter 
two were a single number each. The ordering of the final ACL was similar to the 
start state. 


The algorithms developed were an important contribution to the 
reachability studies, but the number of dimensions considered did not cover the 
entire functionality of a packet filter. It was not a totally automated process, as 
the clients still had to implement the relations contained in the ACLA library. The 
ACLA framework was also not able to automatically derive the global view of the 
network from its existing topology and router configurations, and verify whether 
the network satisfied the security policy. The concepts are bold and innovative, 
but are only able to address a meta-ACL profile based on ACLs along a single 
network path, which is not addressing the complete reachability problem, in 
which multiple (possibly complex) paths are available from source to destination. 

4. Algorithms for Packet Classification 

Networking researchers have developed many different search algorithms 
to aid in packet classification [11]. The importance of this matter lies in speed, 
because fast links require fast classification. 


In a simple sense, a packet represents a point in a two-dimensional 
space, if only the source and destination addresses are considered. Multi- 
dimensional classification would inherently be more complicated, and the 
problem is complicated even more by the need to match packets on ranges as 
well as prefixes. A two-dimensional rule is represented by a rectangle, and a a- 
dimensional rule is represented by a d-dimensional rectangle. Thus the schemes 
that make use of rectangular representation depict rules using N rectangular 
regions. Since packets are not only matched based on prefixes, but also on 
ranges, the term Wis used to denote the number of bits in a range. 


The algorithms explored include basic data structures (e.g., linear search), 
geometry-based structures (e.g., grid-of-tries), also known as string search 
(retrieval) trees, heuristic-based (e.g., tuple-space search), and hardware-only 


(e.g., bitmap-intersection) types. 
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The hierarchical trie structure (basic data structure) appears promising 
for use in this thesis, as the query time complexity for d-dimensions is O(W. 
This structure was also used in [9] for the optimized solution. This data structure 
is also used by AT&T in their network backbone. Although the grid-of-tries has 
a better query time complexity, it is more suited for two-dimensional problems. 
Many other algorithms are also geared toward two-dimensional applications, and 
those that work well with multi-dimensions require a much greater storage 


complexity. 


A summary of the classification schemes presented in the paper [11] is 


shown below: 


Worst-case time Worst-case storage 


Algorithm 
complexity complexity 


Linear Search 


Ternary CAM 





Hierarchical Tries 


Se 


aa skies a ee 


FIS-tree (1+1)W 





RFC a 


HiCut: 


Table 1. Summary of Classification Schemes (From [11]) 
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5. Static Reachability Analysis of IP Networks 

The static reachability analysis paper [3] presents a precise definition of 
the potential reachability of a network, accounting for the influences of packet 
filters, routing protocols, and packet transformations. In addition, a tractable 
framework for calculating the effects of the above-mentioned three factors on the 
reachability in a network was developed, and the algorithm is based on static 


analysis of router configuration files. 


Packet filters are seen as the easiest way to control reachability. The 
filters contain clauses that permit or deny packets based on their header fields. 
Each interface on a router may be configured with different filters for inbound and 
outbound packets, and this ultimately affects reachability. 


Routing protocols also control reachability because they affect the 
contents of a router’s forwarding table. Each routing process (i.e., an instance of 
a routing protocol) controls the sharing of routing information between routers, 
and routing processes have to be specifically configured to share this routing 


information. 


Packet transformations also affect reachability in a network because 
packet header fields may change as the packet traverses the network. Since 
routing is based on these header fields, any change in them would affect 
reachability. 


Of particular interest, the reachability of a network has 2 key bounds: an 
upper bound and a lower bound. Reachability Upper Bound (RUB) refers to 
the set of packets that could potentially reach from nodes i to j in the network, if 
routing decisions were made appropriately, and is defined as follows (where s is 
the network’s forwarding state, and S is the set of all possible network forwarding 
states) : 


R., = U R,6) 


ses 
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Reachability Lower Bound (RLB) refers to packets that will be 
guaranteed delivery from i to j as long as the network is not physically partitioned, 


and is defined as follows: 


R., 7 () R,,) 


ses 


The RLB algorithm is based on the “Articulation Points and Biconnected 
Components” algorithm for any pair of nodes i and j, and subsequently 
determining the intersection of Fu for the remaining edges. Note that Fy, refers 
to the set of packets that the network is able to carry over edge <u, v>. An 
alternate view of F,,y is a packet filter representation with different predicates. 


As for the RUB, the algorithm was developed as follows (note that R 
denotes reachability between two points, and V is the set of routers): 


inate lane Rip): oP come kl. 3g 
V||- 2) do 


1 
2. for (m = 1 to 

Be for (i = 1 to |V|) do 
4 

5 

6 








Rigi). = We 
for (k = 1 to |V||) do 
if (<i,k>eE) 
then R’(i,j) = R’(i,j) U {Fix 1) 
R(k,j) }; 
7. Rig) SIR Cig) F 


With the RLB and RUB algorithms, it becomes possible to calculate the 
static reachability of a network with ease, and it is a matter of inserting the effects 
of the three factors of packet filters, routing protocols and packet transformations 
into Fuy. 

C. CONCLUSION 

After examining the syntax used by the Cisco IOS, it is now possible to 
develop a parser to extract the pertinent information from router configuration 
files that would be needed to perform reachability bound calculations. Although 
there are several pieces of related research, none are feasible for 


implementation in this effort, save for the use of a tuple-based data structure. 
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The algorithm developed to compute RUB is most applicable to this thesis, as the 
results would be essential in determining network reachability. All of these will be 
examined in greater detail in the next chapter for implementation purposes. 
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lll. DESIGN 


This chapter explores the methodology and the actual design for the 
thesis work. The reachability bound computation revolves around the analysis of 
network router configuration files. A look will be taken at the data structure 
developed for the automated solution to work with, as well as the algorithms 
modified from previous research and new ones written as part of this effort. To 
complete the design, the human-computer interaction aspect will be studied to 
create an effective GUI front end to the analysis tool. 

A. SET NOTATION OF PACKET FILTERS 

1 PacketSet Data Structure 

A PacketSet is essentially a representation of a packet filter (i.e., ACL) in 
a set form. It denotes the set of packets permitted by that packet filter. Each 
ACL rule is denoted by a 5-tuple, with the five dimensions as follow: 


e Source IP address 

e Destination IP address 
e Source port number 

° Destination port number 
° Protocol number 


In set notation, the 5-tuple would be: 
[src-ip]; [src-port]; [dest-ip]; [dest-port]; [prot] 
where : src-ip : source IP address 
src-port  : source port 
dest-ip : destination IP address 
dest-port : destination port 
prot : protocol 


Also, each dimension of the 5-tuple would actually be a range of values 


permitted. The PacketSet data structure would thus be: 
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[src-ip lower, src-ip upper] ; [srce-port lower, 
src-port upper] ; [dest-ip lower, dest-ip upper] 
- [dest-port lower, dest-port upper] - [prot 


lower, prot upper] 


The source and destination IP addresses have a maximum range from 
0.0.0.0 to 255.255.255.255, the source and destination ports from 0 to 65535, 
and the protocol number from 0 to 255. 


The PacketSet is based on a packet filter, yet there is subtle but important 
difference. Packet filters contain rules that must be processed sequentially, in 
the order they are stored in the list. The PacketSet data structure that was 
developed contains ‘rules’ (5-tuples) that do not have to be processed 
sequentially. 


This relaxation of the sequential processing rule enables greater flexibility 
in optimizing, reordering and restructuring the 5-tuples. The secret as to how the 
PacketSet can afford to do away with sequential processing is that all permit and 
deny rules in a packet filter are mapped to permit-only 5-tuples. The mapping of 
packet filter rules to 5-tuples will be covered in the next section. 

2: PacketSet Creation Algorithm 

Creating a PacketSet is a complex task, as it requires the sequential 
handling of a jumble of permit and deny rules typically found in a packet filter. 
The mapping of permit and deny rules in a packet filter to tuples of a PacketSet 
is not one-to-one, because (i) deny rules by themselves do not cause tuples to 
be added, and (ii) a permit rule may add zero, one or more tuples, depending 
upon the preceding deny rules. 


The algorithm that follows is responsible for converting one ACL into a 
PacketSet, and assumes that the packet filter rules in a router configuration file 
have already been parsed: 
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CreatePacketSet (ACL) 
Create empty PacketSet,; 


Create an empty Deny Buffer; 


1 

2 

3% For (each rule in ACL), do 

4 Create an empty Interim Buffer; 

5 Convert rule into a new Current Tuple; 
6 


If rule is “Deny”, add Current Tuple to Deny 
Buffer; 


“Le Else if rule is “Permit” 

8. Add Current Tuple to Interim Buffer; 

O'. For (j=0 to size of Deny Buffer), do 
10. For (k=0 to size of Interim Buffer), do 


11. Perform a GetPermitTuple on Interim Buffer[k] 
against Deny Buffer[j]; 


12. Add Interim Buffer to PacketSet; 





13. If PacketSet is not empty, perform optimization 
to merge and remove overlapping ranges; 


What the algorithm does is to sequentially go through a list of ACL rules, 
and save the permit rules it encounters into a buffer until it finds a deny rule. 
Every deny rule goes into the deny buffer. After the first deny rule is 
encountered, every subsequent permit rule is compared against the rules in the 
deny buffer to generate a new tuple, before adding it to the PacketSet. Finally, 
the PacketSet is saved as part of the ACL object.. 


The essence of the GetPermitTuple function will be explored in the next 
section. 

3. Mapping of Permit and Deny Rules to a Tuple 

One of the key ingredients of the PacketSet creation algorithm lies in the 
GetPermitTuple function, which performs a mapping of permit and deny rules to 
a tuple. It is only invoked when there is a need to compare a permit rule against 
a deny rule (which comes before the permit rule). 


23 


a. Definition of Terms 
A 1-tuple is written as follows: 


[ (A, 1) lowers (A, 1) upper ] 


The A in (A,1) denotes which tuple it is, and the 1 denotes the 
dimension. The upper and lower denote whether the value is the upper or 
lower figure in the range. 

b. 1-Tuple Case 

In comparing a permit rule against a deny rule (which comes before 
the permit rule), it is best to start with the simplest case, the 1-tuple. The first 1- 
tuple will correspond to the deny rule, and the second will correspond to the 
permit rule (an example illustrates this below). Subsequent cases will also build 
upon this logic. 

For: 

[ (A, 1) lowers (A, 1) upper ] 
[ (B, 1) lowers (B, 1) upper | 


where A is the deny tuple, and B is the permit tuple. 


There are three possible outcomes to the comparison: 


e No tuple is generated if B’s range is a subset of A’s range. 
e One tuple is generated if only one end of both A and B overlap 
e Two tuples are generated if A’s is a subset of B’s range (i.e., B’s 


range extends beyond both bounds of A’s range). 
The result can be written succinctly in a mathematical notation as 


follows: 
[ (B, 1) towers min{ (A, 1) 1ower—1, (B, 1) upper} ] U 
[max{(B,1) ower, (A, 1) uppert1l}, (B, 1) upper] 


Note: each of which is valid only if the lower value < upper value. 
Thus if any range is not valid, the entire row (tuple) is invalid, and should be 
rejected. 
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Example: 
[372] > deny 
[1,7] > permit 


The result generated would be [1,2] U [6,7]. 


C: 2-Tuple Case 
The problem gets slightly more complicated with the addition of 


another dimension. However, the logic is still similar, as there is a pattern to be 


seen. 
For: 
[ (A, 1) iowere (Ay 1) upper] # [ (Ar 2) 1owerr (Ar 2) upper] 
[(B,1)iowerr (By 1) upper]; [ (By 2) iowery (By 2) upper] 
The result of comparing the permit rule B against deny rule A would 
be: 


[{B, 1) sewers Min { (A; 1) towes-1, (B; 1) upper } ] r 


[ (B, 2) lowers (B, 2) upper ] U 


[max{ (B,1) lower, (A, 1) uppertl }, (B,1) upper | r 


[ (B, 2) lowers (B, 2) upper] U 


[ (B, 1) lowers (B, 1) upper | r 


[(B, 2) 1ower, Min { (A, 2) 10ower—1, (B, 2) upper} ] U 


[(B,1) iower, (B, 1) upper ] r 


[max { (B,2) iowerr (Ay 2) uppertl}, (By 2) upper] 
There is a pattern that can be seen forming. 
Example: 
(3451; (10,12] > deny 
[1,7]; [9,13] > permit 


The result generated would be: 
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[1,71;19,91 U 











[1,717 [13713] 
d. 3-Tuple Case 
Again, like the 2-Tuple case to the 1-Tuple case, the 3-Tuple case 


is like an extension of the 2-Tuple case. Applying the same logic to: 


[ (A, 1) lowers (A, 1) upper | r [ (A, 2) lowers (A, 2) upper | r 


[ (A, 3) lowers (A, 3.) upper | > deny 


[ (B, 1) lowers (B, 1) upper | r [ (B, 2) lowers (B, 2) upper | r 


[ (B, 3) 1owerr (B, 3) upper] > permit 


The result of the comparison would be: 


CUBES) jeer WOT EEA) fede (Ee ED gee 18 

[ (By 2) ert (Br 2) yoper! # (Br 3) poner? (Br 3) yoper! 
U 

[max{ (By 1) poyert (Ar 1) uoperti}+ (Br 1) oper! f 
L (By 2) soeaer (Br 2) ee]? ((By S) acnaer (BY 3) ener! 
U 

LBP 1) pecee (Br) pot UE re eee 
WU ir 2 pce he (Sr 2) een) Li 
LES gee (Er asad -Y 

{By 2) i eeert (Br 2) apper!? 
[mate 1B 2) paper Pr 2) ccc by (EP 2) pace) i 
L(y 3) ygyeee (Br) ged 

[(Br1) yopert (Br 1) poperd # (Br 2) yowert (Br 2) upper] i 
ee a eee al eee 2 
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, (B,2) ile 


upper 


[ (B, 1) , (B, 1) ]; [(B,2) 


lower upper lower 


, (A, 3) +1}, (B,3) ] 


[max { (B, 3) ore ee 


lower 
The pattern is becoming more obvious. For every dimension, there 


is an addition of 2 tuples to the maximum number of tuples possibly generated. 


Hence, the total number of possible tuples for d dimensions is 2d. 


From the above 3-Tuple case, and the 2-Tuple case, overlapping 
ranges can be seen. Thus optimization of the results can be carried out, in order 


to remove overlapping ranges. 
Note that the pattern was: 

[non-overlapping 18t-D permit range]; [2"9-D 
permit range]; [3°4-D permit range] U 

[1St-D permit range]; [non-overlapping 2"d-D 
permit range]; [3°4-D permit range] U 

[18t-D permit range]; [2"4-D permit range]; 
[non-overlapping 3°¢-D permit range] 

where non-overlapping refers to the range 


over which permit and deny tuples do 


not intersect 
After optimization, the sequence becomes: 


[non-overlapping 1St-D permit range]; [2"4-pD 


permit range]; [3°4-D permit range] U 


[overlapping 18t-D range]; [non-overlapping 
2nd-p permit range]; [3°94-D permit 
range] U 

[overlapping 1St-D range]; [overlapping 224-D 


range]; [non-overlapping 3°9-D permit 


range] 
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The overlapping 18D range (similarly for 24-D) can be 


represented by: 


[max { (A, 1) lowers (B, 1) Towers ’ 


min { (A, 1) uppers (B, 1) upper} ] 


Note: valid only if the lower value < upper value. Thus if any range 
is not valid, the entire row (tuple) is invalid, and should be rejected. 

e. 5-Tuple Case 

With the emergence of a pattern in the above cases, it becomes 
simple to extend the logic to a 5-tuple case, or even to the x-tuple case. 


[non-overlapping 18t-D permit range]; [2"9-D 


permit range]; .. ; [xt8-D permit range] 


[overlapping 18t-D range]; [non-overlapping 
2nd-p permit range]; [3™4-D permit 


range]; .. ; [xth-D permit range] 


[overlapping 1St-D range]; [overlapping 2n74-D 
range]; [non-overlapping 3°¢4-D permit 
range]; [4th-D permit range]; .. ; [xt8-pD 


permit range] 


The overlapping 18+D range (similarly for 2°¢-D) can be 


represented by: 


[max { (A, 1) 1owerr (By 1) lower} y 


min { (A, 1) uppers (B, 1) upper} ] 


Note: valid only if the lower value < upper value. Thus if any range 
is not valid, the entire row (tuple) is invalid, and should be rejected. 
4. Importance of the PacketSet Data Structure 
The development of the PacketSet is a very important step in this 
research. Most of the complication in the operations is taken away with the 


relaxation of the sequential processing rule. There is no longer a need to 
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process permit and deny rules separately. There is no longer a need to worry 
about the logic behind union and intersection operations (which are key to 


reachability computations) when having to deal with permit and deny rules. 


The PacketSet is a powerful mechanism with which various forms of 
manipulation can be performed. The logic in maintaining a PacketSet data 
structure is greatly simplified vice a traditional packet filter structure. It is a 
streamlined form of representing a packet filter that enables set operations to be 
carried out easily. The PacketSet data structure is also extensible, in that more 
dimensions can be added when the need arises, e.g., for a more complete 
representation of a packet filter rule with the many options developed by Cisco. 
With a powerful and flexible data structure in place, the next logical step is to 
design the operations which are required to perform reachability computations. 

B. OPERATIONS 

di Union Operation 

The union operation is one of the two basic operations of the reachability 
computation [3]. As the complexity of manipulating permit and deny rules has 
been taken out of the equation with the development of the PacketSet data 


structure, the union operation becomes a relatively simple task to perform. 


The algorithm for the union operation is as follows: 
aie Combine tuples of PacketSet 1 and PacketSet 2; 


25 Perform optimization on the result of Step 1 to 
merge and remove overlapping ranges; 


2. Intersection Operation 

The intersection operation is the other one of two basic operations of the 
reachability computation [8]. Similar to the union operation, because the 
complexity of manipulating permit and deny rules has been eliminated with the 
development of the PacketSet data structure, the intersection operation becomes 


a relatively simple task to perform. 


The algorithm for the intersection operation is as follows: 
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3. 


Create an output PacketSet; 
For each tuple in PacketSet 1, do 
For each tuple in PacketSet 2, do 


Check intersection of dimension/range 1 of the 
two PacketSets being compared; 


Repeat Step 3 for dimensions/ranges 2 through 5; 


If all five dimensions/ranges intersect, combine 
the intersection results of Steps 3 and 4 to give 
the output of the intersection operation; 


Else output is an empty PacketSet; 


Do a Union of the output obtained from Step 5 or 
6 with the output PacketSet; 


Perform optimization to merge and remove 
overlapping ranges in the output PacketSet; 


Optimization Operation 


The optimization mentioned in Section A, is the same as the optimization 


mentioned in the union and intersection operation sections. This operation aims 


to merge and remove overlapping ranges in the tuples. 


The algorithm for the optimization operation is as follows (assuming a 


PacketSet called input is the target of the operation): 


Tes 


2 
3 
4. 
5 
6 
7 


© 


11. 


Do 
Initialize Boolean toContinue = false; 
For (i=0 to size of input), do 
For (j=i+tl to size of input), do 
Get tuple i from input; 
Get tuple j from input; 


If all ranges in tuples i and j 
overlap, do 





Calculate the merged tuple; 
Remove tuples i and j from input; 


Add merged tuple at position i in 
input; 


toContinue = true; 
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TZ <3 i cane 

13. While (toContinue) ; 

Since the ordering of the ‘rules’ in a PacketSet does not matter, the above 
algorithm will compare every tuple in the PacketSet with every other tuple to try 
to determine whether there are overlapping areas and perform a merging of the 
two tuples. Merging will also take place for tuples with adjacent ranges. 

C. NEIGHBOR COMPUTATION 

In order for the reachability algorithm to traverse the network topology 
based solely on router configuration files, it was necessary to estimate the 
network topology by means of computing the neighbors of routers. 


Routers on the same subnet are taken to be neighbors operating from the 
same switch. Thus, to compute a router’s neighbors, the IP address and mask 
on every interface of that router is used to determine its network prefix, and is 
compared against the network prefix of all interfaces on every other router. If 
they match, both interfaces on the two routers are taken to be neighbors. 

D. REACHABILITY COMPUTATION 

With the tools in place, it is now possible to perform RUB computations 
[3]. In the algorithm highlighted in Chapter II, the set of packets that the routers 
will permit are influenced by both packet filters and routing protocols, hence there 
might be differences in the packets permitted from a router (on each interface) to 
each of its neighbors. For example, although a packet filter on a router permits a 
particular packet to pass to all of its neighbors, a routing protocol might not route 
the same packet to some of the router’s neighbors. However, in this thesis, only 
the effects of packet filters are considered, hence the set of permitted packets 
from a router to its neighbors will be the same to every neighbor on each 
interface (assuming the out and in filters are the same on all nodes being 
consideredq). 


The algorithm highlighted in Chapter Il was adapted to work with the 
PacketSet data structure. The algorithm calculates the reachability from all 
routers to one single destination router, and extracts the reachability results for 


the user-defined source-destination pair of routers. 
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In order to compute Fi; (which refers to the set of packets that the network 


is able to carry over edge <i, j>, and where u corresponds to an interface on i, 


and v corresponds to an interface on j), the following algorithm was developed: 


ds 


2 
3. 
4 
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For (each edge <i,j> in network) do 
Initialize Fi,; to empty PacketSet; 
For (each physical link <u,v>) do 


Obtain all the ACLs activated by outbound queue 
of u; 


PacketSet Sl = Intersection of all PacketSets 
specified by the ACLs obtained at step 4; 


Obtain all the ACLs activated by inbound queue of 
Vi 


PacketSet S2 = Intersection of all PacketSets 
specified by the ACLs obtained at step 6; 


Fig = Pi46 UL (Si 1) 82)4 


Hence, the algorithm to compute the RUB for a given destination j is as 


follows: 


Te 


Initialize packetSetRUB[i][j] for all i: 
to Fi,; if i and j are neighbors; 
to whole PacketSet, if i=j; 


to empty PacketSet, otherwise; 


for ( m=0 to (numberOfRouters - 3) ) do 
for ( i=0 to (numberOfRouters - 1) ) do 
tempPacketSetRUB[i][j] = empty; 


for (each interface (z) on router i) do 
for ( k=0 to numberOfRouters - 1 ) do 


if (k has an interface that is a 


neighbor of i on interface 2) 


intersectedPacketSetRUB = Fi,x fl 
packetSetRUB[k] [Jj]; 
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9. tempPacketSetRUB[i][j] = 
tempPacketSetRUB[i][j] U 


intersectedPacketSetRUB ; 


10. endif; 
LAs endloop; 
12s packetSetRUB[i][j] = tempPacketSetRUB[i] [4]; 


The algorithm will thus generate, for each <i,j> node pair, a PacketSet for 
the RUB. 
E. USER GUI 
The user Graphical User Interface (GUI) will enable users to navigate 
through the functions of the automated solution easily. It will allow user selection 
of the routers to be analyzed and subsequent presentation of the results of the 
analysis. The design of this GUI will be crucial in presenting the users with the 
right type of information in an easy-to-understand format. 
di Target Users 
The expected users of the system are the network designers and 
operators. These users are trained professionals who are familiar with the 
network’s design and router configuration programming. 
a. User Characteristics 
The primary user of the system is a network designer/operator, 
whose job is to ensure that network resources are utilized efficiently, and fulfill 
the security policy requirements. The system will be used for calculating the 
static reachability of a network, during the design phase or when verifying 
security policy compliance. It would be used occasionally, though not likely on a 
daily basis. It is difficult to predict the frequency of use, since it will be called 
upon only as need arises. It could range from once a week to once a month. 
b. User Skills 
Users are networking professionals, and hence would be familiar 
with basic computer operation and networking vernacular in general. They would 


probably have typing skills, though the system would not require it. Apart from 
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mouse Clicks, a few keyboard strokes at the most, would be required. Being in 
the computer industry, users would be familiar with web browsers and programs 
in general. 
2. Design Criteria 
The design criteria of the user GUI encompass the following: 
a. Easy to Learn 
The user needs to be able to learn how to use the system with 
minimal training. The user is guided through step by step interfaces. 
b. Minimum User Memory Load 
The system is not expected to be used frequently, and the user 
should be able to maintain proficiency even with very sporadic usage. 
Cc. Intuitive Presentation 
The system should present information, such as progress status or 
error alerts, in a concise and intuitive manner. 
d. Efficient 
The user should not be overloaded with unnecessary information. 
Information must be concise and unambiguous for the user to carry out this task 
as quickly as possible, with minimal actions required for interaction. 
e. Error Tolerant 
The system should not allow users to enter incorrectly formatted 
data. It should show relevant and meaningful error messages. 
f. Engaging 
The tone and style of the interface should be pleasing to use. 
3. Functionalities 
The user GUI will feature several functions. 


a. Parsing of Router Configuration Files 

e User selection of input directory containing router configuration 
files. 

e User selection of output directory where results will be saved. 

e User initiated parsing of the router configuration files in the input 
directory. 

° Parsed output would be saved to the output directory. 
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b. Reachability Computations 


User selection of two routers for reachability bound computation to 
be performed upon. 


User initiated reachability bound computation of the two selected 
routers. 


Reachability computations would be saved to the output directory 
specified earlier. 


Cc. Miscellaneous 
Inform user of program errors, with descriptions where possible. 


Prevent erroneous data entry. 
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4. Conceptual Design 


Main 
Entry screen. Allows user to 
parse router configuration files. 


Functions 

e Select source directory 

e Select destination directory 
e Parse 

e Save parsed network data to 
files in the output directory 


Links 

Reachability Calculation 
e Quit 
e About 
e Error 


Objects 
e Network 


Constraints 
e Source and destination 
directories must exist 


About 
Displays credits message. 


Functions 
e Displays information about 
the program creators 


Links 
e Return to previous container 


Reachability Calculation 
Allows user to perform 


reachability calculation. 


Functions 

e Select source router 

e Select destination router 

e Calculate reachability 
between source and destination 
router 

e Save output of calculations to 
a file in the output directory 


Links 
e Quit 


Objects 
e Network 


Constraints 
e Not to be displayed before 
parsing is done 


Error 
Displays error message. 


Functions 
e Notifies user of an error 


Links 
e Return to previous container 





Figure 1. Content Diagram for the Static Reachability Analysis Toolkit 
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5. Visual Design 


Users can either type in the directory path, or use the 
Browse button to search for the directory using a 


Windows Explorer interface. Default path is displayed 
initially. 






































4 ll 
& (oles 
fi 
TATIC REACHABILITY ANALYSIS TOOLKIT 
Source Directory [D\Routers \ | Browse | 
S| 
Destination Directory D:\Output | | Browse | 
Attention: existing contents of destination directory will be deleted when parsing starts 
About 
| Parse Now Calculate Reachability Bounds 
Quit 
Step 1: Type or browse for the source and destination direckyries 
Step 2: Click on "Parse Now’ to begin parsing the router configation files in the source directory 














Information panel with step Mouse click to activate. 
by step guide Center button is disabled initially to 


prevent user from triggering it before 
doing steps 1 and 2 





Figure 2. Main Screen 
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Combo box to allow users to select from a list of routers 
that were parsed in step 2. This prevents users from 
keying in an invalid router name. 


Source Router 


Destination Router 





Select the source and destination routers for pat calculation, they click “Calculate It!" 


Information panel with step by step guide Mouse click to activate. 


Figure 3. Reachability Calculation Screen 
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Selection Error 





(x) Source and destination routers must not be the same ! 


Figure 4. Sample Error Message Dialog Box 














About this tool 


@ Developed by Eric Wong and Geoffrey Xie, 
Department of Computer Science, 
Naval Postgraduate School, 
November 2006. 


Figure 5. Information Dialog Box 

















F. CONCLUSION 

In this chapter, the different aspects of the system had been designed, 
from the algorithms to the human-computer interface. One of the most important 
aspects of the design was the PacketSet data structure. It is the key to this 
research effort, because it greatly simplifies the union and intersection operations 
that the RUB algorithm relies upon. In the next chapter, the implementation of 
this design will be covered, with specific examples to illustrate an operational 


system. 
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IV. IMPLEMENTATION 


This chapter describes the implementation of the design from Chapter III, 
with the creation of a Static Reachability Analysis Toolkit, using Java. The steps 
taken by the software are explored in detail. An example is provided to illustrate 
how the software works. Building upon that example, a security policy related 
example is given to show the usefulness of this Toolkit. To provide an overview 
of the entire software design, the class diagram would also be incorporated. The 
measures that were taken to ensure the success of the system are also 
highlighted. The creation of the Static Reachability Analysis Toolkit underscores 
the success of this research effort. 

A. SOFTWARE IMPLEMENTATION 

The system software was created with Java, using NetBeans IDE 5.0 [12]. 
NetBeans is a free, open-source IDE for software developers, and runs on many 
platforms such as Windows and Linux. The program does not require large 
amounts of CPU power or memory. Most of the research was performed on a 
Pentium M 1.86GHz CPU with 1GB of RAM. Java version 1.5.0 _07-b03 was 
used to compile the code. The algorithms mentioned in Chapter Ill were 
implemented with Java. 

1. Assumptions and Limitations 

It was assumed that router configuration files followed the Cisco IOS 
syntax exactly, since the router configurations had to have been entered by a 
Cisco IOS interface. 


Of the different types of ACLs mentioned in Chapter Il, only numbered 
standard and extended ACLs are handled by the system (e.g., named ACLs are 
not handled). 

2. Sample Router Configuration File 

Router configuration files are snapshots of a router’s configuration at a 
particular moment in time. The reachability analysis is based solely on these 
router configuration files. A sample router configuration file is attached in 
Appendix B. 
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3. Parsing a Router Configuration File 

The first stage of the automated solution is the parsing of router 
configuration files. The Java program contains a parser that handles router 
configuration files stored in a directory, which a user can select. Upon 
completion of the parsing operation, the resulting files are stored in a user- 
selected directory. 


The parsing operation is a two step function. The first step converts each 
router configuration file into a raw parsed format. The second step reads the 
ACLs from each parsed router configuration and generates the PacketSets for 
each ACL. 


Two types of output files would be generated subsequently: a Network 
Data.txt file, and Router dump - <router name>.txt (where <router 
name> is the hostname stored in each router configuration file) files. The former 
contains the network id, as well as a list of routers processed. The latter are the 
individual parsed router configuration files, containing information such as 
PacketSets for each ACL, raw parsed data of each ACL, and interface 
information (stored by interface name, and interface ip). 

4. Computing Reachability 

After parsing is completed, the next stage of the automated solution is to 
perform reachability computations. The RUB of the system is computed, based 
on user selection of the source and destination routers. The output of the 
computation is stored in the earlier user-selected output directory. For each 
source-destination pair of routers selected, a correspondingly named output file 


would be created containing the results of the reachability bound computations. 
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5. Example Network 





Figure 6. Example Network for Algorithm Illustration 


Figure 6. shows an example network for the purpose of illustrating the 
algorithm for the computation of the reachability bound. There are 3 sub- 
networks in the example network, with routers connected in each sub-network via 
a switch. This reflects how the system views each sub-network using the 
neighbor concept. For example, R1 has an IP address of 100.1.1.1, R2 has an 
IP address of 100.1.1.3, and R3 has an IP address of 100.1.1.2. Each of these 
routers (R1 to R38) has an ACL (ACL 1) applied on its inbound interface. 


The table below details the ACLs that will be applied on the inbound 


interfaces on the routers in the above example network. 


























access-list 1 deny 10.0.0.0 0.255.255.255 
access-list 1 deny 127.0.0.0 0.255.255.255 
access-list 1 ermit an 

access-list 2 deny 136.142.0.0 0.0.255.255 
access-list 2 permit 124.0.0.0 0.255.255.255 
access-list 103 deny udp any any eq snmp 
access-list 103 permit ip any any 





Table 2. |. ACLs Used in the Example Network 
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Following the format of a 5-tuple outlined in Chapter Ill, an example of the 
output of the system would be: 


Reachability Upper Bound from R11 to R4: 


[ 0.0.0.0 , 9.255.255.255 ];[ 0, 65535 ] ; [ 0.0.0.0 , 
255.255.255.255 ]:[0, 65535];[0, 255] 


[ 11.0.0.0 , 126.255.255.255 ]:[ 0, 65535]; [ 0.0.0.0 , 
255.255.255.255 ]:[0, 65535 ];[0, 255] 


[ 128.0.0.0 , 255.255.255.255 ] ;[ 0 , 65535 ] ; [ 0.0.0.0 , 
255.255.255.255 ];[0, 65535];[0, 255] 
6. Security Policy Implications 
The above example showed how the Static Reachability Analysis Toolkit 
performs reachability computations based on the router configurations. 
However, it may not be apparent how security policies are affected. 


The following example attempts to depict how changes in router 
configuration can affect security policy, how the security policy change can be 
overlooked, and how the Toolkit helps to detect the implication to the existing 


security policy. 











7a 
Oo © =interface 
ee ee ee ee ee = R5 | = subnet 
Ty & =—— = primary link 
5 = = = backup link 


: R6 = external router 
Veteeseovat : link to Internet 


t= =packet filter 














= 
ACL 2 





Figure 7. Example Enterprise Network (From [3]) 
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This example is based on the one in [3], with an example enterprise 
network consisting of five routers, named R1 to R5. R1 and R3 are remote sales 
offices, and R2, R4, and R5 are at the central office. R6 is the gateway to the 
Internet. The network policy is to allow hosts on subnets A1 and A3 to 
communicate with the Microsoft SQL servers (port 1433) on subnet A5, and to 
prevent any other subnets from accessing the same servers. Also, policy 
dictates that all Sun ND protocol (protocol 77) packets be denied from entering 
the central office. In addition, multicast packets (in 224.0.0.0/8) are denied from 
leaving R38; and mobile IP (protocol 55) packets are also denied from reaching 
the servers. The referenced example also uses an implicit permit any rule as 


default. 


The ACLs for the above are as follow: 


ACL 1 

access-list 101 permit tcp 110.0.0.0 0.255.255.255 
150.0.0.0 0.255.255.255 eq 1433 

access-list 101 deny tcp any any eq 1433 

access-list 101 permit ip any any 





ACL 2 
access-list 102 deny 77 any any 
access-list 102 permit ip any any 





ACL 3 

access-list 103 permit tcp 130.0.0.0 0.255.255.255 
150.0.0.0 0.255.255.255 eq 1433 

access-list 103 deny tcp any any eq 1433 

access-list 103 deny ip any 224.0.0.0 0.255.255.255 

access-list 103 permit ip any any 





ACL 4 
access-list 104 deny 55 any any 
access-list 104 permit ip any any 





Taking the example of one RUB, from R3 to R5, packets allowed would 
belong to: 


[0.020.505 5 255.255.295.299] 4- [0 , 69535 ] 4 [1 0.0.0.0; 
223.255.255.255 ] ; [ 0, 1432 ] ; [ 0, 54 ] 
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O.08,.0%0' <7. ZaSe255.259..2992), Fe Og 609035} GF 002030" 5 
223.255.255.255 |] 7 [ 0 , 65535 ] 7; [ 56, 76] 

020.080 -~ 255.259.255.299.) 7 [| 0: » 69935 ) 9 LE Os0x0.0> 
223:.295.2599.255. | 7 b 0... “65535. ] 7 [78-5255 J] 

004-00. F  ZS5x 2595299 ..200- 17 LO “f “69085. Ih FL £0.-08.060 %, 
223:.2996255%205° J 7 21433 74-1433.) 7 £ OQ. 5] 

0.0.0.0 , 255.255.255.255 I 9 he 0. 6593501 Fs OL OSO SO OF y 
223.255.255.255 ] ; [ 1433 , 1433 ] ; [ 7, 54 ] 

0.0.0.0 , 255.255.255.255 ] ; [ 0 , 65535 ] ; [ 0.0.0.0 , 





223.255.255.255 ] ; [ 1434 , 65535 ] ; [ 0, 54 ] 

O80 5000-79 255. 255'255:.255.] 7. [0 4. 65535 17 £.225..0.0.0' 
299.62959.525959'.2959° Ji 7 TO. , 1432 7.5... :0, 54: ] 

0.0.0.0 , 255.255.255.255 LF ch Ory 865539. 07 2252:05 020. 7, 
299: AID ZI 299 ll ge L. OF ep 65939 7b, SS. FOr] 

0.0.0.0 , 255.255. 255. 200) 7: bo Oo 4 265535> )7 [225505050 ., 
299 299.299.2059. I 5. [| O-, 65535.) 7 DL 78's, 255: J 

0.0.0.0. 7 255.259.295.295 J] 7 [0+ 659535 177 5225.0.0.0: | 























209 200462505 2509° J aR 1433) 7 2433) LQ) goed 
Os, 0.50560 255.255.255.255 Ip poh 0: 7 65539017 1: (22550 .0%0" 4 
2998299 ¢-2994-209 pr [, cb4383. 7 1433) | plo Pay S40] 
0.0.0.0 , 255.255. 255. 200, 1, 7 -f O 4 65535. )7-0 225 0..0:-0 7 
255.255.255.255 ] ; [ 1434 , 65535 ] ; [ 0, 54 ] 
130.0.0.0 , 130.255.255.255 J] ; [ 0,65535 ];[ 150.0.0.0 , 
150.255.255.255 ] ; [ 1433 , 1433 ] ; [ 6, 6 ] 





Now, take the case where the two backup links (dotted lines) were added. 
The network operators felt that the security policy would be satisfied if the routing 
parameters on the routers were reconfigured to use the backup links under 
failure scenarios only. It should work, since the security policy was previously 
satisfied. 


However, after performing a reachability bound computation, the above 
design is shown to be flawed. Looking at the same RUB for R3 to R5, multicast 
traffic would leave R3, which is against the security policy (previously satisfied by 
ACL 3): 


[ O.0.40.0,. 255.255.255.255 ] 7 [ @-, 65535 ] 7 - [ 002020°., 
299 295625903259. ] Gp pO - L432: FO. 72255.) 


[ -0.0.000.., 255.295.255.255 J] gL 0 ». 69535 1) 4 [ 0.0.0:00: ; 
200 200% 20062090 Ji a Lb T433.7, 42433. Je 7 oh Or god 

[ 20.30:50..0° 7 “2ods2590 42594255" > Goof Oy “65535 04: of 1 04:0'.0..0 .; 
299 GA00¢ 29904-2909 I) gop L433. 1433) [op Pe 22595.) 
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255.255.255.255 


299.295.259.255 


255.255.255.255 


150.255.255.255 





15.025 9%259..255 


In this scenario, tools (e.g., 


110.0.0.0, ee 


130.0.0.0 , 130.255. 





r 


22 





22 


O02 OO" <7. ZOSeZOSE 255: 255 
0.0.0.0 , 255.255.255. 255 


000.20. 7 255352553 255, 255 


] ; 
1433 
] ; 
1433 
] ; 
1434 
55°] 
1433 
5s 3 
1433 





[ 0 , 65535 ] ; [ 0.0.0.0 , 
, 65535 ] ; [ 56, 76 ] 


[ 0 , 65535 ] ; [ 0.0.0.0 , 
, ©9935 ]-3. 1 78.7 255.7] 
[ 0 , -65535. J) 7. [0.0.0.0 -, 


7, ODDSs: Dog! [08% 2a, 1 

rE © 4, 6©5535)]3[. 150202020; 
, 1433 ] ; [ 6, 6 ] 

, — 0 , 65535];[ 150.0.0.0, 
, L433° ] 7 [ 67-6 ] 


traceroute, ping) that experimentally test the 


reachability between two hosts would not be able to verify whether the backup 


link configuration satisfied the security policy, unless the main links were shut 


down. 


Thus we can see how the use of this Toolkit can help network 


designers/operators detect problems with security policy requirements early. 
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7. 


Class Diagram 


The class diagram of the software is shown below: 





“<< create >>~DebugToote|)DebugToots 














~lenersectTuple tuple | Tuple.tuple2: Tupte tuples Tuple)tociean 


simersectRangelingutRiange 1 Range inputttange2 Range ovputRiange Range operation String! Dacian 










<< create >>~TCompiTComp 
+Compare(a Object: Objectiint 





Figure 8. 


Class Diagram 
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8. Source Code 
The code for the system software is organized by classes and is attached 
in Appendix C. 


The first step of parsing the router configuration files stores all the 
parameters as a string representation in the various classes for easy future 
manipulation. The ACL rules were stored in a class which preserved the 
ordering of the rules, because they have to be processed sequentially. 


All the ranges in the PacketSet representation are specified with a (/ong) 
integer. The purpose of using a Jong is to make it easy to manipulate IP 
addresses, as well as port and protocol numbers. IP addresses are converted to 
long by first converting them from their dotted decimal representation to their bit- 
string representation, and subsequently converting their bit-string (base two) to 
an integer (base ten). Port and protocol names are converted to their number 
equivalent using a lookup table [13, 14]. 

B. TRIAL WITH REAL WORLD ROUTER CONFIGURATIONS 

Although it was not an objective to analyze a set of router configuration 
files, testing was done with real world router configuration files from Carnegie- 
Mellon University (CMU). 


A set of twenty router configuration files from CMU was run on a Pentium 
M 1.86 GHz system with 1 GB of RAM, and the following was observed. 

1. Processing Time 

For the parsing stage, with the set of twenty router configuration files, it 
took less than one second to complete parsing these files, and creating the 
corresponding PacketSets for every ACL (packet filter). 


For the reachability computation stage, it took less than three seconds to 
complete the computations for any source-destination pair. 

2. PacketSet Efficiency 

The set of twenty router configuration files from CMU had a total of 204 
ACLs, and 1,332 ACL rules (rules in each packet filter). From this set, the Toolkit 


generated 2,245 PacketSet elements, amounting to 168.54% of the number of 
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ACL rules. However, the mean of the number of PacketSet elements to the 
number of ACL rules is much lower, at 127.53%. This means that the PacketSet 
representation, which already allows for a much more flexible representation of 
packet filter rules, is also a rather efficient representation in terms of storage. 


It was also observed that there is no direct correspondence between the 
number of ACL rules to the number of PacketSet elements generated. For 
instance, an ACL with 15 ACL rules was represented by just 10 PacketSet 
elements. Yet on another occasion, an ACL with 14 ACL rules required 126 
PacketSet elements for representation. The number of PacketSet elements 
depends more on the complexity of the ACL rules, i.e., interleaving of permit and 
deny rules and granularity of each rule. The more granular each rule is, and the 
more interleaved permit and deny rules are, the greater the number of PacketSet 


elements. 


See Appendix D for more details of the data set. 
C. CONCLUSION 

This chapter provided an account of how the Toolkit should be used to 
compute RUBs. Two examples were given to illustrate the operation of the 
Toolkit with router configuration files from a network. The next chapter will sum 


up the entire thesis effort, and provide some recommendations for future work. 
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V. CONCLUSION AND RECOMMENDATIONS 


This thesis has partially validated the static reachability analysis 
framework developed in [3] through a Java implementation. It demonstrates that 
the effects of statically configured packet filters on the reachability upper bounds 
of a network can be computed efficiently. This is an exciting step, because the 
implementation may be extended into a complete automated solution for static 
analysis of network reachability. The solution will be critical for verifying that the 
security policy of a network is satisfied by the network’s design, under routine 


conditions, as well as failure scenarios. 


The use of a PacketSet (defined in Chapter Ill) is crucial for performing 
operations such as union and intersection of packet filters across an entire 
network. Hence the creation of the PacketSet data structure was a key factor in 
the success of this research. By mapping all packet filter rules consisting of both 
permits and denies into a single PacketSet consisting of purely “permits”, makes 
itan easy and flexible data structure to use. 


This Toolkit has shown that it is also possible to compute finer-grain 
RUBs. For instance, whether a particular type of packet like port 80 traffic will be 
permitted between two hosts can be determined just by looking at the RUB 


results. 


For future work, in addition to performing more rigorous tests of the Static 
Reachability Analysis Toolkit developed in this thesis with larger networks, the 
RLB algorithm outlined in [3] would have to be studied and validated for use with 


an automated solution. 


At the time of writing, AT&T researchers were requested to assist in the 
testing of the developed Toolkit with larger networks, as well as collaborate on 
the verification of the routing protocol mechanism for use in an automated 


solution in conjunction with another thesis effort. 
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Therefore, work on the development of an automated solution that also 
considers the effects of routing protocols and packet transformations, to 
complete the automation of the static analysis framework [3], can now proceed. 
Thus, one future research area is the implementation of the techniques outlined 


in [3] with Java, to extend the features of the Static Reachability Analysis Toolkit. 


Another possible research area is the development of a more efficient 
data structure to replace the tuple data structure used in this thesis, which may 
be beneficial when applied to very large networks, used in conjunction with an 
automated solution that considers packet filters, routing protocols and packet 


transformations. 


With the development of the Static Reachability Analysis Toolkit, the state- 
of-the-art is one step closer towards having networks that completely satisfy their 
security policies. Incorporating routing protocol and packet transformation 
aspects in the Toolkit will enable networks of the future to be more secure, 


because human design error will be mitigated with this verification tool. 
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APPENDIX A. SYNTAX EXPLANATION 


The explanation for the Cisco IOS syntax used in Chapter Il is as follows 


(extracted from [15]): 
Bold indicates commands and keywords. Example: access-list 
Italics indicate user variables. Example : access-list-number 
Braces ({ }) indicate a required choice. Example: {permit | deny} 


Vertical bars ( | ) separate alternative, mutually exclusive arguments. 


Example: {permit | deny} 


Square brackets ([ ]) indicate optional elements. Example: [tos tos] 
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APPENDIX B. SAMPLE ROUTER CONFIGURATION FILE 


! 

! Last configuration change at 12:00:00 PST Tue Nov 28 2006 
! NVRAM config last updated at 12:00:00 PST Tue Nov 28 2006 
! 


version 12.2 

no service pad 

service timestamps debug datetime 
timezone 

service timestamps log datetime 
timezone 

service password DELETED 


no service single-slot-—reload-enable 
! 





hostname R2.gw 
! 
interface subnetl 
description R2 to R1 
ip address 10.0.0.2 255.255.255.252 
ip access-group 101 out 
! 
interface subnet4 
description R2 to R6 
ip address 40.0.0.1 255.255.255.252 
! 
interface subnet5 
description R2 to R4 
ip address 50.0.0.1 255.255.255.252 
ip access-group 102 out 
! 
interface subnet6 
description R2 to R3 
ip address 60.0.0.1 255.255.255.252 


ip access-group 103 out 
! 


msec 


localtime show- 


msec localtime show-— 


DELETED 


access-list 101 permit tcp 110.0.0.0 On255.259.255 


150.0.0.0 0.255.255.255 eq 1433 


access-list 101 deny tcp any any eq 1433 


access-list 101 permit ip any any 
access-list 102 deny 77 any any 
access-list 102 permit ip any any 


access-list 103 permit tcp 130.0.0.0 


150.0.0.0 0.255.255.255 eq 1433 


access-list 103 deny tcp any any eq 1433 
access-list 103 deny ip any 224.0.0.0 0.255.255.255 
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0.255.255.255 


access-list 103 permit ip any any 
! 


end 
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APPENDIX C. SOURCE CODES 


A. ACLRULE.JAVA 


package StaticReachabilityAnalysis; 
ria 
* ACLrule.java 


*/ 
import java.util.*; 


class ACLrule { 
String accessList; 
String accessListNumber; 
String dynamic; 
String dynamicName; 
String timeout; 
String timeoutMinutes; 
String permitDeny; 
String protocolLower; 
String protocolUpper; 
String source; 
String sourceWildcard; 
String sourcePortLower; 
String sourcePortUpper; 
String destination; 
String destinationWildcard; 
String destinationPortLower; 
String destinationPortUpper; 
String precedenceKeyword; 
String precedence; 
String tosKeyword; 
String tos; 
String logKeyword; 
String loginput; 
Boolean remark; 


ACLrule(){ 
accessList = null; 
accessListNumber = null; 
dynamic = null; 
dynamicName = null; 
timeout = null; 
timeoutMinutes = null; 
permitDeny = null; 
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} 


protocolLower = null ; 
protocolUpper = null ; 
source = null; 
sourceWildcard = null; 
sourcePortLower = null; 
sourcePortUpper = null; 
destination = null; 
destinationWildcard = null; 
destinationPortLower = null ; 
destinationPortUpper = null ; 
precedenceKeyword = null; 
precedence = null; 
tosKeyword = null; 


tos = null; 
logKeyword = null; 
logInput = null; 


remark = false; 


public String toString() { 


return accessList + 
+ accessListNumber + 
+ dynamic + "" 

+ dynamicName + 

+ timeout +"" 

+ timeoutMinutes + 
+ permitDeny +"" 
+ protocolLower + 
+ protocolUpper + 
+ source +"" 

+ sourceWildcard + 
+ sourcePortLower + 
+ sourcePortUpper + 
+ destination + "" 

+ destinationWildcard + 
+ destinationPortLower + 
+ destinationPortUpper + 
+ precedenceKeyword + 

+ precedence +"" 

+ tosKeyword + 
+tos+"" 

+ logKeyword + 
+ logInput + "" 

+ remark; 


} 
}// end class ACLrule 
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B. ACOMP.JAVA 


package StaticReachabilityAnalysis; 
has 
* AComp.java 


*/ 
import java.util.*; 


class AComp implements Comparator { 
// This Comparator overrides the default compare function 
// Used for the ArrayList sorting in OptimizePacketSet 
// Enables correct sorting of the tuples 
public int compare (Object a, Object b) { 
int result=0; 
Tuple aTuple, bTuple; 


aTuple = (Tuple) a; 
bTuple = (Tuple) b; 


// if a is smaller than b, then a will come first 
// 1st Check : sourcelP.lower 
if (aTuple.sourcelP.lower == bTuple.sourcelP.lower ) { 


// \f tied, do 2nd Check : soucelP.upper 
if (aTuple.sourcelP.upper == bTuple.sourcelP.upper) { 


// \f tied again, do 3rd Check : sourcePort.lower 
if (aTuple.sourcePort.lower == 
bTuple.sourcePort.lower) { 


// \f tied again, do 4th Check :sourcePort.upper 
if (aTuple.sourcePort.upper == 
bTuple.sourcePort.upper) { 


// \f tied again, do 5th Check : distinationIP.lower 
if (aTuple.destination|IP.lower == 
bTuple.destination|IP.lower){ 


// \f tied again, do 6th Check : distinationIP.upper 
if (aTuple.destinationIP.upper == 
bTuple.destinationIP.upper){ 


// \f tied again, do 7th Check : distinationPort.lower 
if (aTuple.destinationPort.lower == 
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bTuple.destinationPort.lower){ 


// \f tied again, do 8th Check : distinationPort.upper 
if (aTuple.destinationPort.upper == 
bTuple.destinationPort.upper){ 


// \f tied again, do 9th Check : protocol.upper 
if (aTuple.protocol.lower == 
bTuple.protocol.lower) { 


// \f tied again, do 10th Check : protocol.upper 

if (aTuple.protocol.upper == 
bTuple.protocol.upper) result = 0; 

else if (aTuple.protocol.upper < 
bTuple.protocol.upper) result = -1; 

else result = 1; 


else if (aTuple.protocol.lower < 
bTuple.protocol.lower) result = -1; 
else result = 1; 
} 
else if (aTuple.destinationPort.upper < 
bTuple.destinationPort.upper) result = -1; 
else result = 1; 


else if (aTuple.destinationPort.lower < 
bTuple.destinationPort.lower) result = -1; 
else result = 1 ; 


else if (aTuple.destinationIP.upper < 
bTuple.destinationIP.upper) result = -1; 
else result = 1 ; 


else if (aTuple.destinationIP.lower < 
bTuple.destination|IP.lower) result = -1; 
else result = 1; 
} // end of 3rd Check 
else if (aTuple.sourcePort.upper < 
bTuple.sourcePort.upper) result = -1; 
else result = 1 ; 


} // end of 2nd Check 
else if (aTuple.sourcePort.lower < 
bTuple.sourcePort.lower) result = -1; 
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else result = 1 ; 


else if (aTuple.sourcelP.upper < 
bTuple.sourcelP.upper) result = -1 ; 
else result = 1; 


else if (aTuple.sourcelP.lower < 
bTuple.sourcelP.lower) result = -1 ; 
else result = 1; 


return result; 


} 


/** Creates a new instance of AComp */ 
AComp() { 


} 
} 
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C. DEBUGTOOLS.JAVA 
package StaticReachabilityAnalysis; 


fe 
* DebugTools.java 


oe 


import java.util.*; 
import java.io.*; 


class DebugTools { 


/** Creates a new instance of DebugTools */ 
DebugTools() { 
} 


[ER OEAEREELEL EEE EEE RENE SALAS Me EN Oe eR ee RR eR RN 


* Writes the last ACL parsed into an output file 


*x 
SERELAEALER SAREE LEE L ERE EAA LEAS LERLEEEEA ER LAER SEERA EAE S| 


void CheckLastACLOutput(LinkedList a, PrintWriter out) { 
try { 
out.printin("Parsed Output"); 
out.printIn("access-list|" +" # |" + "dyn & #|" 
+ "timeout & #|" + "permorden|" 
+" prot|" +" source & wc|" 
+ "dest & wc|" +" prcd & #|"+ "tos & #|" 
+ "log & input "); 
Iterator itr = a.iterator(); 
while (itr.hasNext()) { 
out.printin (itr.next()); 


} 
} catch (Exception e) { System.out.println ("Error - " + e); } 


} 


[BREA EREARE ERR AERARERAR EEA RCLIL EE ELERIRA REESE LEAR EEK ER 


* Writes the ACL rule parsed into an output file 


* 
SEERA SEES RG pene pete te epee hint wate n ee Maine eine Meee ep 


void IntermediateParserCheck(ACLrule aclRule, FileWriter out){ 


try { 
out.write (aclRule.accessList + " |"); 


out.write (aclRule.accessListNumber + " | "); 
out.write (aclRule.permitDeny + " |"); 
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out.write (aclRule.protocolLower + " | "); 
out.write (aclRule.source + " | "); 
out.write (aclRule.sourceWildcard + "| "); 
out.write (aclRule.destination +" |"); 
out.write (aclRule.destinationWildcard + "| "); 
out.write ("\r\n" ); 
} catch (Exception e) { System.out.println ("Error - " + e); } 
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D. INTERFACECONFIG.JAVA 


package StaticReachabilityAnalysis; 
fe 
* InterfaceConfig.java 


* 


ei 
import java.util.*; 


class InterfaceConfig { 

String interfaceName; // Interface name 

String ipAddress; // IP address - yet to handle secondary case! 

String ipMask; // IP mask 

ArrayList neighbors; // Array of neighbors --> make this array of objects 
// First check whether IP mask is the same length or same? 
// lf same, check whether same network prefix (ip address + ip mask) 
// \f not same --> not neighbors 
// lf same network prefix --> neighbors 

ArrayList inFilters; // Array of incoming filters 

ArrayList outFilters; // Array of outgoing filters 


/** Creates a new instance of InterfaceConfig */ 
InterfaceConfig() { 
interfaceName = null; 
ipAddress = null; 
ipMask = null; // Process_Neighbors 
// [if (currentInterface.ipMask.equals(interface ToCompare.ipMask))] does 
not work if set to null 
neighbors = new ArrayList(); 
inFilters = new ArrayList(); 
outFilters = new ArrayList(); 


} 


public String toString() { 
return interfaceName + "" + ipAddress + 
+ inFilters + "" + outFilters; 


+ ipMask + ""+ neighbors + 
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E. NETWORKCONFIG.JAVA 


package StaticReachabilityAnalysis; 
{* 
* NetworkConfig.java 


* 


*/ 


import java.util.*; 
import java.io.*; 


class NetworkConfig { 


String networkName; // Network name 
Hashtable tableOfRouters; // Table of pointers to Routers 


/** Creates a new instance of NetworkConfig */ 


NetworkConfig() { 
networkName = null; 
tableOfRouters = new Hashtable(); 

} 

} 
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F. NETWORKDATADUMP.JAVA 


package StaticReachabilityAnalysis; 
rit 
* NetworkDataDump.java 


* 


af 


import java.util.*; 
import java.io.*; 


class NetworkDataDump { 


/** Creates a new instance of NetworkDataDump */ 
NetworkDataDump(NetworkConfig network, File outputDir) { 
try { 
DeleteFiles (outputDir); 
String outputFileName = "Network Data.txt"; 
File outputFile = new File (outputDir, outputFileName); 
FileWriter outFile = new FileWriter (outputFile); 


// Data to be written to file 
outFile.write("Network ID :" + network.networkName + "\r\n\r\n"); 


// test output to screen 
System.out.printIn("Network ID :" + network.networkName); 


// Write Router Data 
outFile.write("Router List : \r\n"); 


System.out.printIn("Router List : "); // test output to screen 


int routerCounter=0; 
RouterConfig currentRouter; 
Enumeration routerList = network.tableOfRouters.elements(); 


while ( routerList.hasMoreElements() ) { 
currentRouter = (RouterConfig) routerList.nextElement(); 
routerCounter++; 
outFile.write("(" + routerCounter +") "+ 
currentRouter.hostName + "\r\n"); 
System.out.printIn("(" + routerCounter +") "+ 
currentRouter.hostName); // test output to screen 


currentRouter.Debug(currentRouter, outputDir); 
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// Close the file written to 
outFile.close(); 
} catch (Exception e) { System.out.println ("Error - " + e); } 


} 


boolean DeleteFiles(File directory) { 
boolean success = false; 
if (directory.exists()) { 
File[] files = directory.listFiles(); 
for (int i=0; i<files.length; i++) { 
if (files[i].isDirectory()) { 
success = DeleteFiles(files[i]); 
} 
else { 
files[i].delete(); 


} 
} 


return success; 


} 


67 


G. PACKETSET.JAVA 


package StaticReachabilityAnalysis; 
ia 
* PacketSet.java 


of 


import java.util.*; 
import java.io.*; 
import java.math.*; 


class PacketSet { 


ArrayList tupleArray ; 

int octetLength = 8 ; 

long octet1 Multiplier = 16777216L ; 
int octet2Multiplier = 65536 ; 

int octet3Multiplier = 256 ; 

int octet4Multiplier = 1 ; 

long minIntegerIP = OL ; 

/* 4294967295 is max value of an IP (255.255.255.255) in decimal value */ 
long maxintegerlIP = 4294967295L ; 
long minPort = OL; 

long maxPort = 65535L; 

long minProtocol = 0; 

long maxProtocol = 255; 


/*** Creates a new instance of PacketSet ***/ 
PacketSet() { 
tupleArray = new ArrayList(); 


} 


/*** Set what to return when a function wants to display a PacketSet ***/ 
public String toString (){ 
String output= new String(); 
for (int counter=0; counter<tupleArray.size();counter++) 
output = output + tupleArray.get(counter) + " \r\n "; 
return output; 


} 


[ERR RAEEI ERR EEE EERE LEAL LEER LEAL ERLE RAE RES EER L ERA EAE EES 


* 


* Create PacketSets for every router in the network object 
* Determine how many routers are in the network object 
* For every router, run a CreatePacketSet function on it 
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* 


TERRE EEL E ALAS TAAL LEER ARES Se RAR Tee RRA Ee A ee AOC one ee en ey 


void CreateAllPacketSets (NetworkConfig network) { 


[ERE EE REE CREE RE RAE LEANER AD pe hee anit 


* Display for user 


BEALE E RE AAEA EER EA SEER ES REAR ERS ERASERS EAR ES [ 


System.out.printin("======= Creating Packet Sets ======="); 
[CAPA EE EAAS EEA RERL EEE REARS ER ERARE EE EERE RARER AE 

* Get the list of routers 

* Create PacketSets for each router 


REAR ERA RARE RENAE REA EE SERRERE LEER ERER EERE RES | 


Enumeration routerList = network.tableOfRouters.elements(); 
while ( routerList.hasMoreElements() ) { 
boolean success = CreatePacketSet 
((RouterConfig) routerList.nextElement()); 
if (success) System.out.printin 
(: - Packet Set created successfully "); 
else System.out.printin (" - No Packet Set created"); 


[PREREESERE EE CEE ERES EER ER EEE EE EE EERE SEALE 


* Display for user 


REAR REE AAE ERE REAR EERE KR EEA AE ER EREE ARERR REE | 


[pA EE CRETE TE Ee ETE Ne ene ter ee ENN SN ST ne eR RN ERG ee 
* 


* Generate PacketSets for a RouterConfig object. 

* Each PacketSet corresponds to an ACL stored in the RouterConfig object. 
* This object generated is stored in the same RouterConfig object. 

* A deny buffer is temporarily created to hold any deny rules. 

* Store the array of tuples for each ACL in a permit buffer. 

* Store final permit buffer in RouterConfig object 

* (as a TreeMap) with ACL number as the key. 


*x 


En EE SEEN Ree SES REESE eng eee eee Lee TERE f 


boolean CreatePacketSet (RouterConfig router) { 
boolean success = false; 
PacketSet permitBuffer, denyBuffer, interimBuffer ; 
String acl = new String(); 
Tuple currentTuple; 
LinkedList aclList; 
ACLrule aclRule; 
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Enumeration aclNumber = router.tableOfACLs.keys(); 
System.out.println("<<< Router :" + router.hostName + " >>>"); 


[RR RE EEE REESE EE ERLE SEAS EAE EE EO 


* Process all the elements in the ACL table, in order of the keys 
* Only one element is processed at a time. 
ERA TEETER EEE SAREE BRA Ra Ne ye 
while(aclNumber.hasMoreElements()) { 

/*** Get the next ACL ***/ 

acl = (String) aclNumber.nextElement();// Get the next ACL 


/*** Get the linked list of each ACL ***/ 
aclList = (LinkedList) router.tableOfACLs.get(acl); 


/*** Create a new deny and permit buffer ***/ 
denyBuffer = new PacketSet(); 
permitBuffer = new PacketSet(); 


/*** Process the ACL rules in the ACL, one at a time ***/ 
for (int counter=0; counter < aclList.size(); counter++) { 
/*** |nitialization ***/ 
currentTuple = new Tuple(); 
interimBuffer = new PacketSet(); 
aclRule = (ACLrule) aclList.get(counter); 


Yaa aaa aol al aaa a aad 


* Process current ACL rule into a tuple 

* Extract the 5 ranges from the ACL rule 

* and store in currentTuple 

BER ERE REA RE REELS REELS CER EA ER ERASER EEK | 

currentTuple.sourcelP = convertIPtolntegerRange 
(aclRule.source, aclRule.sourceWildcard); 

currentTuple.sourcePort = convertPortToRange 
(aclRule.sourcePortLower, aclRule.sourcePortUpper); 

currentTuple.destinationIP = convertlPtolntegerRange 
(aclRule.destination, aclRule.destinationWildcard); 

currentTuple.destinationPort = convertPortToRange 
(aclRule.destinationPortLower, aclRule.destinationPortUpper); 

currentTuple.protocol = convertProtocolloRange 
(aclRule.protocolLower, aclRule.protocolUpper); 


/*** |f ACL rule is a deny, add the 

* current tuple to the deny buffer ***/ 

if (aclRule.permitDeny.equalslgnoreCase("deny")) 
denyBuffer.tupleArray.add(currentTuple); 
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/*** Otherwise if ACL rule is a permit, do the following ***/ 
else if (aclRule.permitDeny.equalslgnoreCase("permit")) { 
interimBuffer.tupleArray.add(currentTuple); 


[REESE S ESSERE SAAS AAAS ERAS REE RE 


* If there are no deny rules, 

* add currentTuple to denyBuffer straightaway 

SAAS ESE SEER ARLES RARE EAE EE ASO TY 

if (denyBuffer.tupleArray.size()==0) { 
//permitBuffer.tupleArray.add(currentT uple); 
success = true; 


} 


[REESEAEASA ESA SERENE 


* Compare current permit tuple against each tuple 
* in the deny buffer one at a time 
RAE AE SEALERS AE AEER SEALE EERE SAS | 
for (int i=0; i<denyBuffer.tupleArray.size(); i++) { 
Tuple outputTuple = new Tuple(); 
boolean toDecrement = false; 
/*** Get the next tuple in the deny buffer ***/ 
Tuple denyTuple = (Tuple) denyBuffer.tupleArray.get(i); 


for (int j=0; j<interimBuffer.tupleArray.size(); j++) { 

toDecrement = interimBuffer.GetPermitTuple( 
(Tuple)interimBuffer.tupleArray.get(j), 
denyTuple,interimBuffer,j); 

success = true; 

/*** if object at position | was changed, 

* decrement j by 1 

* so as to process the new object ***/ 

if (toDecrement) j-- ; 


} 


} // end of else if (aclRule.permitDeny.equalslgnoreCase("permit")) 


/*** Add the interim buffer contents to the permit buffer ***/ 
permitBuffer.tupleArray.addAll(interimBuffer.tupleArray); 
} // end of for (int counter=0; counter < aclList.size(); counter++) 


[PEE EEE AES EERE EERE ESE 


* If there are ACLs in the Permit Buffer, 
*- Run the optimizer 
* - Add the permit buffer to the router object 


REA ERER ER ERAS EERE EREAA RELA EERE LES AERA ER ERE | 
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if (permitBuffer.tupleArray.size()>0) { 
// Optimize the Permit Buffer 
boolean isSuccess=false; 
isSuccess = OptimizePacketSet(permitBuffer) ; 


[PA RAESER ELAR ELENA SEER EA REARS EEE ERE ERAS © 


* Store the permitBuffer in the 
* routerConfig object Map, using acl as key 


SEALER EL EEL ERE EASELS ERE N EE Te REE E L 


router.mapOfPacketSets.put(acl, permitBuffer); 
} // end of while(aclNumber.hasMoreElements()) 


return success; 
} // end of CreatePacketSet 


RPE E LEE Neen eR eat ee et Re Te RN ee OR TR a RNS eae eee ARN 


* 


* Optimize a PacketSet 

*- remove empty tuples 

*- remove completely overlapping tuples 
*- merge adjacent tuples 

*- sort the tuples 


* 


Ran Se Me Ne ee ten Rn ance Rr eee MOAR SNOMED nade RAN eee gos Nak Re OCI near he 


boolean OptimizePacketSet (PacketSet inputPS) { 
boolean success = false; 


[RE BEAAERE RARER ERS EERE REER ERE 


* Remove any empty tuples in the PacketSet 
REA EE SAL AE CESAR ERE LEER EES] 
for (int i=0; i<inputPS.tupleArray.size(); i++) { 
Tuple currentTuple = (Tuple) inputPS.tupleArray.get(i); 
if (currentTuple.sourcelP.lower == -1) { 
inputPS.tupleArray.remove(i); 
FS 
success = true; 
} 
} 


[OPERA REARS EA RNR een nee, 


* Loop through looking for overlapping tuples 


RELA EAL EEL LASSER MEER K | 


boolean toContinue; 
do { 
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toContinue = false; 


/*** Use a double loop to process the elements in the PacketSet ***/ 
for (int i=O; i<inputPS.tupleArray.size()-1; i++) { 


for (int j=i+1; j<inputPS.tupleArray.size(); j++) { 
Tuple tuple1 = (Tuple) inoutPS.tupleArray.get(i) ; 
Tuple tuple2 = (Tuple) inputPS.tupleArray.get()) ; 
int decJ = ProcessOverlapTuple(tuple1 ,tuple2,inoutPS., i,j); 
if (decU>=1) { // if there was a removal of any tuple 
toContinue = true; 
if (decJ==2) j--; 


} 
} // end of inner for loop 
if (toContinue) success = true; 
} // end of outer for loop 
} while (toContinue); 


[EAN ERE REAR 


* Sort the tuples 


BERS TLE SEAN ASE RES | 


Object interimArray|] = inputPS.tupleArray.toArray(); 

Arrays.sort(interimArray, new AComp()); 

for (int i=0; i<interimArray.length; i++) 
inputPS.tupleArray.set(i,interimArray|i]); 

return success; 


[oS EERE ERE SE EERE EE Sue etait ary ete tate we Ce a Pee ne Ny eri ee pina aee es eie 


* Check 2 tuples for overlaps 

* Remove a tuple that is completely overlapped by another 
* Merge adjacent tuples 

* Do nothing about partially overlapping tuples 

* (takes more storage otherwise) 


* 
a aaa aia a a ii aa eC a eae aca a i ea aa Sc! | 


int ProcessOverlapTuple (Tuple inoutTuple1, Tuple inputTuple2, 
PacketSet outputPS, int i, int j) { 


Tuple outputTuple = new Tuple(); 
/*** decJ is used to signal whether there was any successful removal 


* or merging of tuples ***/ 
int decJ = 0; 
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POPE SEE ERE ETE E RE EEE EE EES EG EE EE EE ARATE AREER ES EEE 


* Check whether inputTuple1 and inputTuple2 have overlaps 
* store new tuple in outputTuple 

* return value is result 

* Process tuples according to the return value (result) 


BERS TEERERERALER ASAE EEALEER ARES TERE SAS REAE ALLELE EE AEA RARE EE 2] 


int result = CheckOverlapTuple (inputTuple1, inoutTuple2, outputTuple); 


switch (result) { 
case 0 : break; // do nothing; 


[PR ALSEEES EERE LERLERE SERA LARS ES EEE EE REE SEES CERES EE ERAS 


*tuple1 completely covers tuple2. outputTuple can be used 
REKAR EER REE KA RERER LEER ERA ERE LER ERLERERARE EARLE REAR EEE | 

case 243 : 

case 405: 

case 675: 

case 1125: 

case 1875: 


outputPS.tupleArray.remove(j); // remove tuple2 
decJ=2; 
break; 


REREAD EES RSA EE Ge sR Se pict eonn nag hm eee een Ne ee 


* tuple2 completely covers tuple1. outputTuple can be used 
RENAE REE EEE EASE ee REE A REAR are a nN Rn eee ee en egos Sey 
case 1024: 
case 1280: 
case 1600 : 
case 2000 : 
case 2500 : 
case 3125: 
// remove tuple 
outputPS.tupleArray.remove(i); 
// put tuple2 in tuple1's position 
outputPS.tupleArray.add(i,inoutTuple2); 
// remove tuple2 from it's orginal position 
outputPS.tupleArray.remove(j); 
decJ=2; 
break; 
[PR EREREE AA REE RELEASE EERE NARA EA LEER EARS ARERR EE EAE EEA REARS 
* 1 of the ranges in both tuples are adjacent and can be combined 
* and the other ranges are exactly the same. outputTuple can be used 
RENAE LEELA EERE EE EEAR EK LEAR LALA AE REALE REESE RARE 
case 1250: 
outputPS.tupleArray.add(i,outputTuple); 
outputPS.tupleArray.remove(i+1); 
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outputPS.tupleArray.remove(j); 
decJ=1; 
break; 


[EEE EE SEE RARE eee meen cee nee etagy we Be ene oe Mee nn Ie pte pele 


* at least 1 range in both tuples overlap partially 
EASA EES EAE LES MEA SEES LEREE EAA ER ESLER ERER AEA RASA EE ALL ERE NED | 
default : decJ=0; // do nothing 


return decd ; 


[BE RERAERAR ERA EE EA EE EAE REAR IEE EEKEREEAR EEL EERE EEA ARES LEER ER RARE EE 


* Function that checks all 5 ranges in each of the 2 tuples 
* Return the result of the check 
* As well as return the new tuple to outputTuple 


REREA SERRE BLE RAE LER EERE AAA ERA SE EE EEAEE RELA LEER ERE AREAEL EERE EE AE RAEAS EO] 


int CheckOverlapTuple (Tuple inputTuple1, 
Tuple inputTuple2, Tuple outputTuple) { 

int result! = CheckOverlap1 Range(inputTuple1.sourcelP, 
inputTuple2.sourcelP, outputTuple.sourcelP) ; 

int result2 = CheckOverlap1 Range(inputTuple1.sourcePort, 
inputTuple2.sourcePort, outputTuple.sourcePort) ; 

int result8 = CheckOverlap1 Range(inputTuple1.destinationIP, 
inputTuple2.destinationIP, outoputTuple.destinationIP) ; 

int result4 = CheckOverlap1 Range(inputTuple1 .destinationPort, 
inputTuple2.destinationPort, outputTuple.destinationPort) ; 

int results = CheckOverlap1 Range(inputTuple1.protocol, 
inputTuple2.protocol, outputTuple.protocol); 

int output = 0; 

[PEP AAPERERS EELS EEE TRERRER EARS EERE EERE EEE REESE 

* if output=1024, 1280, 1600, 2000, or 2500, and 3125, 

* — tuple2 completely covers tuple1. 

*  outputTuple can be used 

* if output=243, 405, 675, 1125, or 1875, 

*  tuple1 completely covers tuple2. 

*  outputTuple can be used 

* if output=1250, 1 of the ranges in both tuples are 

* adjacent and can be combined 

* and the other ranges are exactly the same. 

*  outputTuple can be used 

* if output=1, all ranges in both tuples overlap partially. 

* Need to use another function 

* if output=0, at least 1 range does not overlap. 
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REE EERE EEE SEALE LEAN EES EEE TATE REE AES | 


/*** Compact the return value ***/ 
output = result! * result2 * result3 * result4 * result5; 


return output; 


[PEERS REALE EE LESS RE EAR ELAR EEE LENCE A EEE Ee AREER EL LEE ES REAR EEE 


* 


* Function that compares 2 ranges for an overlap 
* Return the result of the check 
* As well as return the new range to outputRange 


*x 


REEL T EERE EE EEE ERASE AREER LEER ES AER EE EEE RE EE REE RA RELA EE REA RE ARE | 


int CheckOverlap1 Range (Range inputRange1, Range inputRange2, 

Range outputRange) { 

long lower=OL, upper=OL; 

int output=0; 

[EEE A EE NEE EE RERE LEAR EE LAEEAS EEE REA ERLE REEL ARSE EEE AEN 

* if output=5, range1 and range 2 are exactly the same 

* if output=4, range2 completely covers range 

* if output=3, range1 completely covers range2 

* if output=2, ranges don't overlap, but they are 

* adjacent and can be combined 

* if output=1, ranges overlap partially 

* if output=0, ranges do not overlap 


PE TERE A See ERE AEE ELSA E SE A ene 


[RE BERAERE RS EARS EMEA ERE EEN ER ELA EERE REL S RAR EE EE EEE EEE 


* Ranges do not overlap i.e., result in output=0 
BAAR SEALE RE RAR ARE EA LEA EE EA ARES LEELA REAR REAL EE SERRE 
if (inoutRange1.upper + 1 < inputRange2.lower || 
inputRange2.upper + 1 < inputRange1.lower ) { 
output=0; 


[OPER EE RERE ES EER R EN T  C EARS RELATE MARAE EARLS EE A 


* Both ranges are exactly the same 
NEES EE Se SAREE AREAS RASA Len Re ae | 
else if (inputRange1.lower == inputRange2.lower && 
inputRange1 .upper == inputRange2.upper) { 
outputRange.lower = inputRange1.lower; 
outputRange.upper = inputRange1 .upper; 
output=5 ; 


[ER PERAERERE ER ERS REE ERE RES EER EREEAEAEK ERAS LEER AEE AEE 
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* For all other combinations 


REAR EEE A Ree ee oe he en A ee en PION mere NEN TR eae en ere wn | 


else { 


[EOE EEE E ATER EE ee REAR A ERR E LEE Sean ae mee ean 


* Determine which is the lower value of both ranges 
PEEL AAEE ASA EAS LEER ERR EREA ALE SER ER EAES AS EERE 
if (inpbutRange1.lower < inputRange2.lower) { 
outputRange.lower = inputRange1.lower; 
lower = inputRange2. lower; 
} 
else { 
outputRange.lower = inputRange2.lower; 
lower = inputRange1.lower; 


[EAE EEA TEESE CEREALS SERA A A RN Te EA 


* Determine which is the upper value of both ranges 
Toy ERNE EELS RAE TEAR EES SEARLE AES REE | 
if (inpbutRange1.upper < inputRange2.upper) { 
outputRange.upper = inputRange2.upper; 
upper = inputRange1.upper; 


else { 
outputRange.upper = inputRange1.upper; 
upper = inputRange2.upper; 
/* // For debugging 
System.out.printin("output upper : " + outputRange.upper 
+"; upper :" + upper); 
*/ 
} 


[REESE REESE REE Sine Sete ee eee cies Oo Meo ae pte ne eee 


* Check if upper value is >= lower value 
* If so, it is a valid range 
* Otherwise, signal the calling function to discard 
* the output range 
EEE EARS AE AARNE Rea eee ee REE EER REM GS pepeie ne ee eh 
if (upper >= lower) { 
if (inputRange2.lower == lower && 
inputRange2.upper==upper) output=s ; 
else if (inputRange1.lower == lower && 
inputRange1.upper==upper) output=4 ; 
else output=1; 


Toe eee eS EE ROE AE Deere eran ee 8 eer RA 


* Check if both ranges are adjacent 
* Signal accordingly 
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ba ea aaa aera aia aaa alia aly 


else if (upper + 1 == lower) output=2; 
}// end else 
return output; 
} 


[BR BEAA REAR ER RA ELAR EEA EES AR IEE EERE EEE AR EERE LEER KARE ELE LER ARERR 


* 


* Function that compares a permit tuple against a deny tuple 
* Saves the resultant permitted PacketSet to outputPS 


* If at least 1 dimension/range doesn't overlap then nothing will be 

* added to outputPS 

* outputPS doesn't need a value, because calling function uses a value 
* in outputPS as permitTuple 

* count is the position of the permitTuple in outputPS 


RARER SEALER EA ERS REL TERE EK EARS EE RARAE ELLA EE RA REA RESA ER ER AREER LEASE EE 


boolean GetPermitTuple (Tuple permitTuple, Tuple denyTuple, 

PacketSet outputPS, int count) { 

boolean decrementCounter = false; 

Range outRange1 = new Range(); 

Range outRange2 = new Range(); 

Range outRange3 = new Range(); 

Range outRange4 = new Range(); 

Range outRanged = new Range(); 

Range outRange6 = new Range(); 

Range outRange7 = new Range(); 

Range outRange8 = new Range(); 

Range outRange9 = new Range(); 

Range outRange10 = new Range(); 

int result1=0, result2=0, result3=0, result4=0, result5=0; 

Tuple tuple1 = new Tuple(); 


); 
Tuple tuple3 = = new Tuple(); 
Tuple upee> = new Tuple(); 

)s 


result! = GetPermitRange (permitTuple.sourcelP, 
denyTuple.sourcelP, outRange1, outRange2); 
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result2 = GetPermitRange (permitTuple.destinationlP, 
denyTuple.destinationIP, outRange3, outRange4); 
result3 = GetPermitRange (permitTuple.sourcePort, 
denyTuple.sourcePort, outRange5, outRange6); 
result4 = GetPermitRange (permitTuple.destinationPort, 
denyTuple.destinationPort, outRange7, outRanges); 
results = GetPermitRange (permitTuple.protocol, 
denyTuple.protocol, outRange9Y, outRange10); 
if (result1>=0 && result2>=0 && result8>=0 && 
result4>=0 && result5>=0) { 
Range temp = new Range(); 
if (resulti>=1) { 
tuple1.sourcelP = outRange1 ; 
tuple1.destinationIP = permitTuple.destinationIP; 
tuple1.sourcePort = permitTuple.sourcePort ; 
tuple1.destinationPort = permitTuple.destinationPort ; 
tuple1.protocol = permitTuple.protocol ; 
outputPS.tupleArray.add(tuple1); 


} 

if (result1==2) { 
tuple11.sourcelP = outRange2 ; 
tuple11.destinationIP = permitTuple.destinationIP; 
tuple11.sourcePort = permitTuple.sourcePort ; 
tuple11.destinationPort = permitTuple.destinationPort ; 
tuple11.protocol = permitTuple.protocol ; 
outputPS.tupleArray.add(tuple1 1); 


} 
if (result2>=1 ) { 
if (GetOverlapRange (permitTuple.sourcellP, 
denyTuple.sourcelP, temp)) { 
tuple2.sourcelP.lower = temp.lower ; 
tuple2.sourcelP.upper = temp.upper ; 


tuple2.destinationIP = outRange3; 

tuple2.sourcePort = permitTuple.sourcePort ; 
tuple2.destinationPort = permitTuple.destinationPort ; 
tuple2.protocol = permitTuple.protocol ; 
outputPS.tupleArray.add(tuple2); 


} 
if (result2==2) { 
if (GetOverlapRange (permitTuple.sourcellP, 
denyTuple.sourcelP, temp)){ 
tuple22.sourcelP.lower = temp.lower ; 
tuple22.sourcelP.upper = temp.upper ; 


} 
tuple22.destinationIP = outRange4; 
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tuple22.sourcePort = permitTuple.sourcePort ; 
tuple22.destinationPort = permitTuple.destinationPort ; 
tuple22.protocol = permitTuple.protocol ; 
outputPS.tupleArray.add(tuple22); 


} 
if (result3>=1) { 
if (GetOverlapRange (permitTuple.sourcellP, 
denyTuple.sourcelP, temp)){ 
tuple3.sourcelP.lower = temp.lower ; 
tuple3.sourcelP.upper = temp.upper ; 


} 
if (GetOverlapRange (permitTuple.destinationIP, 
denyTuple.destinationIP, temp)){ 

tuple3.destinationIP.lower = temp.lower ; 
tuple3.destinationIP.upper = temp.upper ; 

} 

tuple3.sourcePort = outRanged ; 

tuple3.destinationPort = permitTuple.destinationPort ; 

tuple3.protocol = permitTuple.protocol ; 

outputPS.tupleArray.add(tuples); 


} 
if (result3==2) { 
if (GetOverlapRange (permitTuple.sourcelP, 
denyTuple.sourcelP, temp)){ 
tuple33.sourcelP.lower = temp.lower ; 
tuple33.sourcelP.upper = temp.upper ; 


} 
if (GetOverlapRange (permitTuple.destinationIP, 
denyTuple.destinationIP, temp)){ 
tuple33.destinationIP.lower = temp.lower ; 
tuple33.destinationIP.upper = temp.upper ; 


tuple33.sourcePort = outRangeé ; 
tuple33.destinationPort = permitTuple.destinationPort ; 
tuple33.protocol = permitTuple.protocol ; 
outputPS.tupleArray.add(tuple33); 


} 
if (result4>=1) { 
if (GetOverlapRange (permitTuple.sourcellP, 
denyTuple.sourcelP, temp)){ 
tuple4.sourcelP.lower = temp.lower ; 
tuple4.sourcelP.upper = temp.upper ; 


} 
if (GetOverlapRange (permitTuple.destinationIP, 
denyTuple.destinationIP, temp)){ 
tuple4.destinationIP.lower = temp.lower ; 
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tuple4.destinationIP.upper = temp.upper ; 


if (GetOverlapRange (permitTuple.sourcePort, 
denyTuple.sourcePort, temp)){ 
tuple4.sourcePort.lower = temp.lower ; 
tuple4.sourcePort.upper = temp.upper ; 


tuple4.destinationPort = outRange7 ; 
tuple4.protocol = permitTuple.protocol ; 
outputPS.tupleArray.add(tuple4); 


} 
if (result4==2) { 
if (GetOverlapRange (permitTuple.sourcellP, 
denyTuple.sourcelP, temp)){ 
tuple44.sourcelP.lower = temp.lower ; 
tuple44.sourcelP.upper = temp.upper ; 


} 
if (GetOverlapRange (permitTuple.destinationIP, 
denyTuple.destinationIP, temp)){ 
tuple44.destinationIP.lower = temp.lower ; 
tuple44.destinationIP.upper = temp.upper ; 


if (GetOverlapRange (permitTuple.sourcePort, 
denyTuple.sourcePort, temp)){ 
tuple44.sourcePort.lower = temp.lower ; 
tuple44.sourcePort.upper = temp.upper ; 


tuple44.destinationPort = outRangeé ; 
tuple44.protocol = permitTuple.protocol ; 
outputPS.tupleArray.add(tuple44); 


} 
if (results>=1) { 
if (GetOverlapRange (permitTuple.sourcelP, 
denyTuple.sourcelP, temp)){ 
tuple5.sourcelP.lower = temp.lower ; 
tuple5.sourcelP.upper = temp.upper ; 


if (GetOverlapRange (permitTuple.destinationIP, 
denyTuple.destinationIP, temp)) { 
tuple5.destinationIP.lower = temp.lower ; 
tuple5.destinationIP.upper = temp.upper ; 


if (GetOverlapRange (permitTuple.sourcePort, 
denyTuple.sourcePort, temp)){ 
tuple5.sourcePort.lower = temp.lower ; 
tuple5.sourcePort.upper = temp.upper ; 
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if (GetOverlapRange (permitTuple.destinationPort, 
denyTuple.destinationPort, temp)){ 
tuple5.destinationPort.lower = temp.lower ; 
tuple5.destinationPort.upper = temp.upper ; 


tuple5.protocol = outRange?9 ; 
outputPS.tupleArray.add(tuple5); 


} 
if (resulth==2) { 
if (GetOverlapRange (permitTuple.sourcellP, 
denyTuple.sourcelP, temp)){ 


tuple55.sourcelP.lower = temp.lower ; 
tuple55.sourcelP.upper = temp.upper ; 


if (GetOverlapRange (permitTuple.destinationIP, 
denyTuple.destinationIP, temp)){ 
tuple55.destinationIP.lower = temp.lower ; 
tuple55.destinationIP.upper = temp.upper ; 


if (GetOverlapRange (permitTuple.sourcePort, 
denyTuple.sourcePort, temp)){ 
tuple55.sourcePort.lower = temp.lower ; 
tuple55.sourcePort.upper = temp.upper ; 


if (GetOverlapRange (permitTuple.destinationPort, 
denyTuple.destinationPort, temp)){ 
tuple55.destinationPort.lower = temp.lower ; 
tuple55.destinationPort.upper = temp.upper ; 


tuple55.protocol = outRange10 ; 
outputPS.tupleArray.add(tuple55); 


outputPS.tupleArray.remove(count); 
decrementCounter = true ; 
} // end if 


return decrementCounter; 


} // end of GetPermitTuple 


* 


[RA RASASEEAARAES ERRERE RERAEAE EEE EEEAD EARS REEL ERAEAEL SEES ES EN EAEAR ARES EE 


* Function that finds the overlapping range in 2 ranges 
* Return the new range to outputRange 


RARER EAE EEA EERA ER SREER ER ERASE EE RAEEE EELS ERE RES AREA ER ERAEL ER ERASE EE 
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boolean GetOverlapRange (Range inputRange1, 


Range inputRange2, Range outputRange) { 
boolean success = false; 


outputRange.lower = Math.max(inputRange1.lower, inoutRange2.lower) ; 
outputRange.upper = Math.min(inputRange1.upper, inoutRange2.upper) ; 


if (outputRange.upper >= outputRange.lower) success = true; 


return success; 


[ER EEEAEEEAREAER ERIE RE RERAERE EEEERERER EMRE REEL EERE AER ERE E EE EAEAE AEE AE 


x 


* Function that compares a permit range against a deny range 
* Saves the 2 possible output ranges to outputRange1 and outputRange2 


* Return value signifies the extent of the overlap 


* 


REAR LEREA REAR ARAL EL REAR REAR ELE R EERE EERE EEE REE ER EELS ERA EE REE EH AEE | 


int GetPermitRange (Range permitRange, Range denyRange, 
Range outputRange1, Range outputRange2) { 
int numberOfOutputRanges = 0; 


[EEE A AE REE EERERE SEE EEAEELAAE LEE EERE 


*0 means no outputRange used, full overlap 

*1 means only 1 outputRange used, there is overlap 
*2 means 2 outputRanges used, there is overlap 
*-1 means no intersection or overlap 


REAR ERE RARE EA RARER RED ERE EEA EE RATERS | 


[ESERIES LEER EE EARLE ERE EE ERE REE EERE RAE 


* Determine 1st output range 


REAEEEERERR AEE LESS ELE EERERER EA RELA ENA RAE | 


outputRange1.lower = permitRange.lower ; 


outputRangel.upper = Math.min(denyRange.lower-1 , permitRange.upper); 
if (outputRange1.upper >= outputRange1 .lower) 
numberOfOutputRanges++; 


[RRR ERERIERERREREA LEER EERE REARE AES ERE EERE EELS 


* Determine 2nd output range 


REALE ERE ERAN SR Nee heh ean te eee NT mene nf 


outputRange2.lower = Math.max(permitRange.lower, denyRange.upper + 1) 


outputRange2.upper = permitRange.upper ; 
if (outputRange2.upper >= outputRange2.lower) 
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numberOfOutputRanges++; 
if (numberOfOutputRanges==1) outputRange1 = outputRange2 ; 


[A EEE EES EE ETRE ERE EASE Ee te Re RARE EA 


* If permit and deny ranges do not overlap 
SEAS EEE LERE SARA SARE ERARELARER CASES ES SAREE ELEN 
if ( (denyRange.upper < permitRange.lower) || 
(denyRange.lower > permitRange.upper) ) 
numberOfOutputRanges = -1; 


return numberOfOutputRanges; 


} 


ER EAEAEEEAAEAER ERASE RERAEAR LEER RERER EMRE REEL ERAE REL EERE EAE AR ALES OE 


* 


* Function that converts an IP address and a mask 
* into an integer(long) range 

* Takes an IP in dotted decimal format 

* Simplified IP address and mask handling, 

* where lower value is set to inputIP 

and upper value is inputIP with full inoutMask 


*x 


* Currently assumes that router config uses Cisco recommendation of 


* a contiguous range of IP addresses 

* To add functionality later : to handle mask fully, 

* — for cases like "10.10.9.0", "0.0.4.255" 

* where 9 = 1001, 4 = 100; 1001 and 1101 ; 13 = 1101 

* and 10.10.9.0 with mask of 0.0.1.255, 

* which actually refers to a range of 10.10.8.0 to 10.10.9.255 


LESSER RARER SAR EAL AE SES NEARS ERAS LEERE SALAS AREAL RSE SS EARLE LE ERL SRSA ED | 


Range convertlPtolntegerRange (String inputIP, String inputMask) { 
Range output = new Range(); 
int ipOctet1, ipOctet2, ipOctet3, ipOctet4; 
int maskOctet1, maskOctet2, maskOctet3, maskOctet4; 
int upperOctet1, upperOctet2, upperOctet3, upperOctet4 ; 
int lowerOctet1, lowerOctet2, lowerOctet3, lowerOctet4 ; 
String upperOctetString1, upperOctetString2, 
upperOctetString3, upperOctetString4 ; 
String lowerOctetString1, lowerOctetString2, 
lowerOctetString3, lowerOctetString4 ; 


[RAPER EERE LEER ELE E ESA REESE EASE RES AAS SARA SEER EAN 


* If there are no IP addresses, the range is set as the max 
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EERE REED LEELA EE REE RES LEE LEER EERE EEE AEE 


if (inoutIP==null || inputIP.equalslgnoreCase("any")) { 
output.lower = minIntegerIP ; 
output.upper = maxintegerIP ; 


else { 


[REE EE EEE EEE EP ALES ERLE LEE ERLE ASE EAE REE 


* Process IP address first 
* Break up IP address into octets 


KARTE EEAE AE ARREARS SERRE ASS REE REE EARLS LEER RERA ERE | 


Scanner s = new Scanner(inputIP).useDelimiter("\\."); 


ipOctet1 = Integer.parselnt(s.next()); 
ipOctet2 = Integer.parselnt(s.next()); 
ipOctet3 = Integer.parselnt(s.next()); 
ipOctet4 = Integer.parselnt(s.next()); 


Yaa a a ea aa a a a alia a eae aa 


* Calculate integer value of the IP address 
REAAAELEREEELE SEARLES EREAE EEL AR AL BEES ARERR ERR LEER SEAS | 
output.lower = ( ipOctet1 * octet1 Multiplier ) + 

( ipOctet2 * octet2Multiplier ) + 

( ipOctet3 * octet3Multiplier ) + 

( ipOctet4 * octet4Multiplier ) ; 


[EE REP EEA E EEE E ELE EE LLG SAS CELE EEE EAEE EE EELS EASES RE 


* Process wildcard mask next 
* If there is no mask, single point in range 
Fe REE ER RE aN ea tne ie rae ee has Noten ene ee Mae, 
if (inpbutMask==null) { 
/* Disabled this section's functionality till 
full mask functionality is implemented 
// Calculate lower value of the IP address 
output.lower = ( ipOctet1 * octet1 Multiplier ) + 
( ipOctet2 * octet2Multiplier ) + 
( ipOctet3 * octet3Multiplier ) + 
( ipOctet4 * octet4Multiplier ) ; 
a 
output.upper = output.lower; 


else { 


[ER EREAEE SERRESRER SERRE EAE EAE LER EERE EA REL AL EL EERE AREA ERE 


* Break up wildcard mask into octets 


REE EEA EERE RA REALE EERE REALS ERE RE RE RERAR EERE EEA ERS | 


s = new Scanner(inputMask).useDelimiter("\\."); 
maskOctet1 = Integer.parselnt(s.next()); 
maskOctet2 = Integer.parselnt(s.next()); 
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maskOctet3 = Integer.parselnt(s.next()); 
maskOctet4 = Integer.parselnt(s.next()); 


/* Disabled this section's functionality till 
full mask functionality is implemented 


// Calculate lower value of IP range in string notation 

lowerOctetString1 = Integer.toString(ipOctet1 “ maskOctet1) 
lowerOctetString2 = Integer.toString(ipOctet2 “ maskOctet2) 
lowerOctetString3 = Integer.toString(ipOctet3 “ maskOctet3) 
lowerOctetString4 = Integer.toString(ipOctet4 *“ maskOctet4) 


3 
3 
3 
~} 


// Convert lower value of IP range from string to integer 
lowerOctet1 = Integer.parselnt(lowerOctetString 1); 
lowerOctet2 = Integer.parselnt(lowerOctetString2); 
lowerOctet3 = Integer.parselnt(lowerOctetString3); 
lowerOctet4 = Integer.parselnt(lowerOctetString4) 


2 


// Calculate integer value of the IP address 
output.lower = ( lowerOctet1 * octet1 Multiplier ) + 
( lowerOctet2 * octet2Multiplier ) + 
( lowerOctet3 * octet3Multiplier ) + 
( lowerOctet4 * octet4Multiplier ) ; 


*/ 


/*** Calculate upper value of IP range in string ***/ 

upperOctetString1 = Integer.toString(ipOctet1 | maskOctet1) ; 
upperOctetString2 = Integer.toString(ipOctet2 | maskOctet2) ; 
upperOctetString3 = Integer.toString(ipOctet3 | maskOctets) ; 
upperOctetString4 = Integer.toString(ipOctet4 | maskOctet4) ; 


/*** Convert upper value of IP range from string to integer ***/ 
upperOctet1 = Integer.parselnt(upperOctetString1); 

upperOctet2 = Integer.parselnt(upperOctetString2); 
upperOctet3 = Integer.parselnt(upperOctetString3) 
upperOctet4 = Integer.parselnt(upperOctetString4) 


3 


3 


/*** Calculate integer value of the IP address ***/ 
output.upper = ( upperOctet1 * octet1 Multiplier ) + 
( upperOctet2 * octet2Multiplier ) + 
( upperOctet3 * octet3Multiplier ) + 
( upperOctet4 * octet4Multiplier ) ; 
} // end of else statement on inputMask 
} // end of else statement on inputIP 
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return output; 


} 


[EEE ae Ae TRE REISS ta ner ae eh tog chee soe em ete Ahk tee nn Nona aoe er ee wy 


Function to pad a binary string with leading zeros. 
Input : binary (string) 
Output : 8-bit padded (string) 


* * * * 


* 


EARLE REESE EAA REEL EE AEE ELE L EE ORAL SEER EERE ES REE EA EERE REE RA ARES | 


String BinaryPadder (String inputString) { 
for (int counter=inputString.length(); counter<octetLength; counter++) 
inputString = "0" + inputString; 
return inputString; 


} 


[OEE SEE EES EEE ESE AN ERE E TT A SPN Renee ee AS st ecneran pea 

* 

* Function to convert an IP from integer into dotted decimal format 
* 


RAR LEESE AR AREER LER ER ARE ARLE EEE REAA AE EL EE LEA ER SAAR EERE REE EE RSA ERLE RES | 


String convertIntegertolP (long inputlnteger) { 
String outputString = new String(); 
long octet1, octet1 Mod, octet2, octet2Mod, octet3, octet3Mod, octet4 ; 
String octet1 String, octet2String, octet3String, octet4String ; 


octet! = inputInteger / octet1 Multiplier; 
octet1Mod = inputInteger % octet1 Multiplier; 
octet2 = octet1Mod / octet2Multiplier; 
octet2Mod = octetiMod % octet2Multiplier; 
octet3 = octet2Mod / octet3Multiplier; 
octet3Mod = octet2Mod % octet3Multiplier; 
octet4 = octet3Mod / octet4Multiplier; 


octet String = Long.toString(octet1); 
octet2String = Long.toString(octet2); 
octet3String = Long.toString(octet3); 
octet4String = Long.toString(octet4); 


outputString = octet1 String + "." + octet2String +". 


+ octet3String + "." + octet4String ; 
return outputString; 


[BERERERAER ER ERS REED SEAS AREER AEE AREA AEE LS TE ERE SEA AR EAR EREEAEAER SRR E EERE 
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* 
* 


Function to convert a port into a range 


* 


PEL TERESA ELE SEAS TERRE ELLE AERA COE ene n c ee tee ee Sone maine ee nteia en 


Range convertPortToRange (String inoutLower, String inputUpper) { 
Range outputRange = new Range(); 


if (inoutLower==null || inputLower.equalslgnoreCase("any")) { 
outputRange.lower = minPort; 
outputRange.upper = maxPort; 


else { 


outputRange.lower = Long.parseLong(inputLower); 
if (inputUpper==null) outputRange.upper = maxPort; 
else outputRange.upper = Long.parseLong(inputUpper); 


return outputRange; 


} 


Ee en ne eke ere ee ee eee Re OER Ce Re Ot Rone et Oe Means eee ge Ne ma gen 
* 


* 


Function to convert a protocol into a range 


* 


ALLER LEER AREAL EERE ERE AKER EEER EEL REAR ERELRAEE RA EAA EERE LEER ER ERE A RL ER ES | 


Range convertProtocolToRange (String inoputLower, String inputUpper){ 
Range outputRange = new Range(); 


if (inputLower==null || inoutLower.equalslgnoreCase("any")) { 
outputRange.lower = minProtocol; 
outputRange.upper = maxProtocol; 


else { 


outputRange.lower = Long.parseLong(inputLower); 
if (inputUpper==null) outputRange.upper = maxProtocol; 


else outputRange.upper = Long.parseLong(inputUpper); 
} 


return outputRange; 


} 


[ER BEAE ERAS EREAA EEE SEER ERE S RELL EEE EERE ELLA RESELLERS LER EEE RSE E REE 
* 


* 


Function to convert an ACL rule into a tuple format 


* 


aaa a eRe a aa aac a aa a ec aie ago eal ae aie | 


Tuple convertACLRuletoTuple (ACLrule inputACLrule) { 
Tuple outputTuple = new Tuple(); 
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outputTuple.sourcelP = convertlPtolntegerRange 
(inputACLrule.source, inoutACLrule.sourceWildcard); 

outputTuple.destinationIP = convertIPtolntegerRange 
(inputACLrule.destination, inoutACLrule.destinationWildcara); 


outputTuple.sourcePort = convertPortToRange 
(inputACLrule.sourcePortLower, inputACLrule.sourcePortUpper); 

outputTuple.destinationPort = convertPortToRange 
(inputACLrule.destinationPortLower, 
inputACLrule.destinationPortUpper); 


outputTuple.protocol = convertProtocolToRange 
(inputACLrule.protocolLower, inoutACLrule.protocolUpper); 


return outputTuple; 


Ee en ete SO ee er eRe gate eRe CU REO Bate Sire pote ieee oeeep ee eee 
* 


* Function to carry out a Union operation on 2 PacketSets 


* 


RAL EERE NEAR AREAS LES L ER IRR AREER EERE EEK ER ELE E REE EIAE CEL EERE REE ER ERLE RES | 


PacketSet Union (PacketSet inputPS1, PacketSet inputPS2) { 
boolean success = false; 
PacketSet outputPS = new PacketSet(); 
if (inputPS1!=null) outputPS.tupleArray.addAll(inputPS1.tupleArray); 
if (inputPS2!=null) outputPS.tupleArray.addAll(inputPS2.tupleArray); 


success = OptimizePacketSet (outputPS); 
return outputPS; 


} 


[REP RERERIR ER IRER EES SERIA RRR EEE ARERR REL EEELAR EEK ERAS EEE LER ERK AR EE EEE EER 


Function to carry out an Intersection operation on 2 PacketSets 


Assumption : All tuples in a PacketSet are distinct 
(i.e., the 5 ranges in a tuple do not all overlap) 
Put another way, tuples cannot be combined further. 


* * * * * * * 


RAR ELESE LEAL ABA AS ESLER AREA RARE EEE AAA REAL REALE SAAR LER EEREREEEA EEE ERES | 


boolean Intersection (PacketSet inputPS1, PacketSet inputPS2, 
PacketSet outputPS) { 
boolean success=false; 
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Tuple tupleOut; 
outputPS.tupleArray.clear(); // Empty the outputPS 


for (int i=0; i<inputPS1.tupleArray.size(); i++) 
for (int j=0; j<inputPS2.tupleArray.size(); j++) { 
tupleOut = new Tuple(); 
if (IntersectTuple ((Tuple)inputPS1 .tupleArray.get(i), 
(Tuple)inputPS2.tupleArray.get(j) ,tupleOut)) { 

success = true; 
outputPS.tupleArray.add(tupleOut); 

} 


} 
OptimizePacketSet(outputPS); 


return success; 


[RERERERRER ER ERS REESE EAE ARLE RA ERE AE CARERS EE RELA EES AE SAER EERE RARE RASS EERE 
* 
* Function to carry out an Intersection operation on 2 tuples 


* 


PERLE RRR Mtoe ae Ree Bie TG ea we he ROR Re en nN Renee a Ny SIRS Ee Mie awe ite ef 


boolean IntersectTuple (Tuple tuple1, Tuple tuple2, Tuple tuple3) { 
boolean success = false; 


if (IntersectRange(tuple1.sourcelP, tuple2.sourcelP, 
tuple3.sourcelP, "intersect")) 
if (IntersectRange(tuple1.sourcePort, tuple2.sourcePort, 
tuple3.sourcePort, "intersect")) 
if (IntersectRange(tuple1 .destinationIP, 
tuple2.destinationIP, tuple3.destinationIP, "intersect")) 
if (IntersectRange(tuple1 .destinationPort, 
tuple2.destinationPort, tuple3.destinationPort, 
"intersect")) 
if (IntersectRange(tuple1.protocol, tuple2.protocol, 
tuple3.protocol, "intersect")) 
success=true; 


return Success; 


} 


Cee ee eT Eee EAN ERE E ST LANE SEER EEE EERE Rh aces ha 
* 


* 


Function to carry out an Intersection operation on 2 ranges 
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2 switches : for union and intersection 
For intersection operation, find smaller matching range of 
* range1 and range2 
* For union operation, find widest matching range of range1 and range2 


Update : union switch no longer used) 


PELE EREA SELES EAL EERE RELL REALE E EES EL ELAR EERE EEE ES SAREE Re aT EL 


boolean IntersectRange (Range inputRange1, Range inputRange2, 
Range outputRange, String operation) { 
boolean success = false; 
String unionOp = "union"; 
String intersectOp = "intersect"; 
long lower, upper; 


Ya aa aE a aaa aa Ea a ae ae alae a a alta 


* If the switch is for an intersection operation 
RARE EARAA EN EAEAA AS EA REEL ARN ERE RELL ARERR SAAR ARLE REARS RARER LEER LEAS | 
if (operation.equals(intersectOp)) { 
if (inpbutRange1.lower < inputRange2.lower) 
outputRange.lower = inputRange2.lower; 
else outputRange.lower = inoutRange1.lower; 


if (inpbutRange1.upper < inputRange2.upper) 
outputRange.upper = inputRange1.upper; 
else outputRange.upper = inputRange2.upper; 


if (outputRange.upper < outputRange.lower) success=false; 
else success=true; 


[EEE RR EEA RCRA RCREL BER ERE EER EEE EEE AEE A REA EEE ES EAA EELS ERE EER 


* If the switch is for a union operation 
ERATE RARE SEAR RE EERE SERS EEE ERLE LEE ERE RATES ER EAL EAL EERE EEE | 
else if (operation.equals(unionOp)){ 
if (inpbutRange1.lower < inputRange2.lower) { 
outputRange.lower = inputRange1.lower; 
lower = inputRange2. lower; 
} 
else { 
outputRange.lower = inputRange2.lower; 
lower = inputRange1.lower; 


} 


if (inpbutRange1.upper < inputRange2.upper) { 
outputRange.upper = inputRange2.upper; 
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upper = inputRange1 .upper; 


else { 
outputRange.upper = inputRange1.upper; 
upper = inputRange2.upper; 

} 


if (upper + 1 >= lower) success=true;//{ 


} 


return success; 


[OPERAS ERA ASSES SEARS ESRD EE MEAS REL Ne TI Rpg ee Oe ne nae Nee 
*x 


* Determine the reachability between 2 nodes in a network 


* Handles Reachability Upper Bound computations 


REALE REE ANAR ERA A EERE REA AE RELA ELLE RE RENEE ESE R EERE EEA LE LA RE AREER ALES] 


PacketSet InitializePath (NetworkConfig network, int source, 
int destination, PacketSet RLB) { 
int networkSize = network.tableOfRouters.size() ; 


[EAE EER EE EARL RA ERE RELA SEALS RAE ALAS Cee oe 


* RUB Section Initialization 

BAERS ELLER EE EEA REL ELLE ALE EA ERAS EE RERE ERE RA ALES] 

PacketSet finalPacketSet[][] = new PacketSet[networkSize][networkSize]; 
PacketSet tempPacketSet|][] = new PacketSet[networkSize][networkSize]; 
PacketSet intersectedPacketSet = new PacketSet(); 

PacketSet output = new PacketSet(); 

// Get the keys from tableOfRouters 

Enumeration routerList = network.tableOfRouters.keys(); 

String router[] = new String[networkSize]; 


/* Store router names in a lookup array 
that can be referenced by numbers */ 
for (int i=O ; i < networkSize; i++) { 
router[i] = (String) routerList.nextElement(); 
System.out.printin(i + ":" + router[i]); // Display router list 


} 


/* \Initialize finalPacketSet{i][j] for all i */ 
for (int i=O ; i < networkSize; i++) { 
finalPacketSet[i][destination] = new PacketSet(); 
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/* (1) Check whether i and destination are neighbors on all interfaces 
(2) Find the packetset */ 
finalPacketSet{[i][destination] = InitializePacketSetRUB( 
(RouterConfig) network.tableOfRouters.get(router[i]), 
(RouterConfig) network.tableOfRouters.get(router[destination])); 


} 


/* Start algorithm to calculate reachability */ 
for (int m=0 ; m<networkSize-2; m++) { 


/* For each router i */ 
for (int i=O ; i<networkSize; i++) { 


/* if i==destination, jump to next iteration of for loop */ 
if (i==destination) continue; 


tempPacketSet|[i][destination] = new PacketSet(); 


/* \nitialize variables for router i */ 

RouterConfig router! = new RouterConfig(); 

routerl = (RouterConfig) network.tableOfRouters.get(router[i]) ; 
PacketSet packetSetl = new PacketSet(); 


/* For each interface on router i */ 

Enumeration interfaceListl = 
routerl.tableOflnterfaceBylPs.elements(); 

while (interfaceListl.hasMoreElements()) { 


InterfaceConfig interfaceOnl = 
(InterfaceConfig) interfaceListl.nextElement(); 


/* for each neighbor on the interface */ 

for (int counterNeighbor=0; 
counterNeighbor<interfaceOnl.neighbors.size(); 
counterNeighbor++){ 


String neighborOfl = (String) 
interfaceOnl.neighbors.get(counterNeighbor); 


/* for all k */ 
for (int k=0; k<networkSize; k++) { 


RouterConfig routerK = (RouterConfig) 
network.tableOfRouters.get(router[k]); 

/* for each interface on k */ 

Enumeration interfaceListK = 
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routerK.tableOfinterfaceBylPs.keys(); 
while (interfaceListkK.hasMoreElements()) { 
String nextInterfaceOnK = (String) 
interfaceListK.nextElement(); 
if (nextInterfaceOnK.equalsiIgnoreCase 
(neighborOfl)) { 


/* if k has an interface that is a neighbor 
* if i, get the intersecting 
* PacketSet */ 
InterfaceConfig interfaceOnK = 
new InterfaceConfig(); 
interfaceOnK = (InterfaceConfig) 
routerK.tableOflnterfaceByIPs.get(nextInterfaceOnk); 


/* Find the intersecting PacketSet 
of router i and k */ 
PacketSet packetSetIK = new PacketSet(); 
packetSetIK = GetPacketSetOverLink 
(routerl, interfaceOnl, 
routerK, interfaceOnk); 


/* Reachability calculations */ 

intersectedPacketSet = new PacketSet(); 

Intersection (packetSetlK, 
finalPacketSet[k][destination], 
intersectedPacketSet); 


tempPacketSet[i][destination] = 
Union (tempPacketSet{[i][destination], 
intersectedPacketSet) ; 


} 


} 
} // end of for (int k=0; k<networkSize; k++) 


} // end of for () 
} // end of while (interfaceListl.hasMoreElements()) 


[BO REESES BEAEREE EE ERRER EA LEAR EEE AERERA EAA EA EEL SERA ER EER 


* Assign values to RUB from i to destination 


RARE RERLER ERA RARE EERAE EERE RARE ERE ER EK ERI REL EERE EE | 


finalPacketSet{[i][destination].tupleArray.clear(); 
finalPacketSet[i][destination].tupleArray.addAll 
(tempPacketSet[i][destination].tupleArray) ; 
} // end of for (int i=O ; i<networkSize; i++) 
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} // end of for (int m=0 ; m<networkSize-2; m++) 


/* Prepare results of reachability analysis for output */ 
output = finalPacketSet[source][destination]; 


return output; 


} 


[EA AAAEERAAS ES LARS RA ERED EERE AS REAL See nag hp ee ae ee NR ee me ean 


* 


* Initialize packetSetRUB from router1 to router2 


* check whether 2 routers are neighbors on any interface 
* find the intersecting packetset on the link 
* from router1 to router2 


* 


PERCE EEA SER ne eae kN ee RE ae oe RRA eye en ee hoes eae k ne eee an 


PacketSet InitializePacketSetRUB (RouterConfig router1, 
RouterConfig router2) { 
PacketSet outputPS = new PacketSet(); 
PacketSet packetSet1 = new PacketSet(); 
PacketSet packetSet2 = new PacketSet(); 
PacketSet intersectedPS = new PacketSet(); 


// if router1==router2, set outputPS to full set (i.e., 1) 
if (router1==router2) outputPS = NoFilters(); 

// Determine resultant PacketSet if neighbors found 
// No neighbor ==> empty PacketSet 

else { 


// Check for neighbor relation 
Enumeration interfaceList1 = router1.tableOflnterfaceByIPs.elements(); 
// Look at one interface at a time on router 
while (interfaceList1.hasMoreElements()) { 
InterfaceConfig interface = (InterfaceConfig) 
interfaceList1.nextElement(); 


// Check through list of neighbors on interface, one by one 

for (int count=0; count<interface1 .neighbors.size();count++){ 
String neighbor = (String) interface’ .neighbors.get(count); 
Enumeration interfaceList2 = router2.tableOflnterfaceBylPs.keys(); 


// Check through IPs of interfaces on router2, one by one 
while (interfaceList2.hasMoreElements()) { 
String interface2IP = (String) interfaceList2.nextElement(); 
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// if both interfaces on the routers are neighbors 
if (interface2IP.equalsignoreCase(neighbor)) { 


InterfaceConfig interface2 = (InterfaceConfig) 
router2.tableOfInterfaceByIPs.get(interface2IP); 
intersectedPS = GetPacketSetOverLink 
(router1, interface1, router2, interface2); 
outputPS.tupleArray.addAll(intersectedPS.tupleArray); 
} // endif 
¥// endwhile 
}// endfor 
¥// endwhile 
OptimizePacketSet (outputPS); 
} // endelse 
return outputPS; 


} 


[REREREEAER ER ERE REESE ERS ARLE SEES AE EA AREAS EERE EE EEA EERE ER ES ALARA CREEL EEE 


* 


* Find the PacketSet over a link 
* from the outbound queue of the 1st interface 
to the inbound queue of the 2nd interface 


* 
* 
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PacketSet GetPacketSetOverLink (RouterConfig fromRouter, 
InterfaceConfig fromInterface, RouterConfig toRouter, 
InterfaceConfig tolnterface) { 

PacketSet outputPS = new PacketSet(); 
PacketSet inboundPacketSet = new PacketSet(); 
PacketSet outboundPacketSet = new PacketSet(); 


outboundPacketSet = GetPacketSetonInterface(fromRouter, fromInterface, 
false); 

inboundPacketSet = GetPacketSetonInterface(toRouter, tolnterface, true); 

Intersection(inboundPacketSet, outboundPacketSet, outputPS); 


return outputPS; 


} 


[IEE ERAS SE RE IRA REE EE REA ET AE ALERT MAT ES ANTE RE AAA AE AA 


* 


* Determine which are the PacketSets used by one interface 
* on either the inbound or outbound queue 


* 
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PacketSet GetPacketSetonInterface (RouterConfig inputRouter, 
InterfaceConfig inputInterface, boolean inOrOut) { 
/* \f inOrOut is true ==> inbound queue 
* If inOrOut is false ==> outbound queue 
*/ 
PacketSet PS = new PacketSet(); 
ArrayList filters = new ArrayList(); 
if (inOrOut) filters.addAll(inputInterface.inFilters); 
else filters.addAll(inoutInterface.outFilters); 


if (filters.size()==0) PS = NoFilters(); 
else { 
PacketSet tempPS = new PacketSet(); 


try { 
tempPS = (PacketSet) 
inputRouter.mapOfPacketSets.get(filters.get(0)); 


PS.tupleArray.addAll(tempPS.tupleArray); 


} catch (Exception e) { 
System.err.printiIn("ERROR: Router " + inputRouter.hostName 
+ "may not contain ACL #" + filters.get(0) + 


"that " + inputInterface.interfaceName 
+ "has specified !"); 


} 


if (filters.size()>1) 
for (int i=1; i<filters.size(); i++) { 
PacketSet interimPS = new PacketSet(); 
interimPS.tupleArray.addAll(PS.tupleArray); 
try { 


tempPS = (PacketSet) 
inoutRouter.mapOfPacketSets.get(filters.get(i)); 


} catch (Exception e) { 
System.err.printin("ERROR: Router " + inoputRouter.hostName + 
"may not contain ACL #" + filters.get(0) + 
"that" + inputInterface + " has specified !"); 


} 
PS.tupleArray.clear(); 
Intersection (interimPS, tempPS, PS); 
} 
} 
return PS; 


} 


[RERERERAEA BEERS ERER EERE AREER ERAS ER ERERERL ES EEE EREERE ERE ERE EEN EARS EERE 
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* 


* Set default value if no filters are applied to an interface 
* Default value is to permit any 


* 


REEL ELEL LEA ERE A ELE RE AKER EEE REESE EERE ERASER EEL RE ARAL EE EAL EAE ES ARTE ES | 


PacketSet NoFilters() { 
PacketSet output = new PacketSet(); 
Tuple out = new Tuple(); 
out.sourcelP.lower = minIntegerIP; 
out.sourcelP.upper = maxIntegerIP; 
out.destinationIP.lower = minIntegerIP; 
out.destinationIP.upper = maxiIntegerlP ; 
out.sourcePort.lower = minPort; 
out.sourcePort.upper = maxPort; 
out.destinationPort.lower = minPort; 
out.destinationPort.upper = maxPort; 
out.protocol.lower = minProtocol; 
out.protocol.upper = maxProtocol; 
output.tupleArray.add(out); 
return output; 
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H. PARSERWJAVA 

package StaticReachabilityAnalysis; 
ia 

* Parser.java 


* Created : July 25, 2006, 3:20 AM 
*Last Modified : December 12, 2006 
* Author : Eric Gregory Wong 


* ReEREEEESES*® MAIN CALLING FUNCTION FOR PARSING AND PACKETSET 
CREATION KKKKKRKEKRKE RRR KR 


* Functionality: 


* 1. Parses Router Config files with commands: 

* a. Router hostname 

* _b. Interface: 

- i. Name 

* ii. IP address and mask 

* iii. Interface access-group in and out 

: iv. ***Exception - ignores the above if keyword "remark" is used 
* cc. Access-list: 

‘A i. Standard lists 

: ii. Extended lists with: 

fe (1) ACL # 

= (2) Dynamic name 

. (3) Timeout minutes (to be added) 
: (4) Permit or deny 

* (5) Protocol 

: (6) Source + wildcard 

p (7) Destination + wildcard 

J (8) Precedence (to be added) 
m (9) TOS (to be added) 

7 (10) Log (to be added) 

*/ 


import java.io.*; 
import java.util.*; 


class Parser { 


[REESE ESE E TEE 


* Debugging file names 
* These files will be saved in the source code or project directory when run 


EERE EEE REE A 


String testFilename1 = "Test File 1 Parsed output check direct from read.txt"; 
String testFilename2 = "Test File 2 Intermediate parser check.txt"; 
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String testFilename3 = "Test File 3 Last ACL Output.txt"; 

String testFilename4 = "Test File 4 Hashtable Output (Post).txt"; 
String testFilenamed5 = "Test File 5 Hashtable Output (from read).txt"; 
String testFilename6 = "Test File 6 Last Interface check.txt"; 

String testFilename7 = "Test File 7 Files in Folder Check.txt"; 


/*** Creation of a Parser class ***/ 
Parser(NetworkConfig network, File inputDir, File outputDir) throws 
lOException { 


[PRP SSERERS SAS SEER ERERER EEA LR ERRA REAL SEA ARAREE RE EAEAERR EA EE ERAS RARER EEE 


Initialize test files that will be output to the project directory 
RELA LEE REE AREAL LE LR EERE SAREE RR EGAE EEA BERANE EERE ER EER AR EEE EERE REAR AES | 
FileWriter outputTestFile1 = new FileWriter(new File(testFilename? )); 
FileWriter outputTestFile2 = new FileWriter(new File(testFilename2)); 
PrintWriter outputTestFile3 = new PrintWriter (new BufferedWriter 
(new FileWriter(testFilenames))); 
PrintWriter outputTestFile4 = new PrintWriter (new BufferedWriter 
(new FileWriter(testFilename4))); 
FileWriter outputTestFile5 = new FileWriter(new File(testFilenamed5)); 
PrintWriter outputTestFile6 = new PrintWriter (new BufferedWriter 
(new FileWriter(testFilename6))); 
FileWriter outputTestFile7 = new FileWriter(new File(testFilename7)); 


[EEE REE R TAREE Rene ee Rate ee ee Nan MAAS LAER AE ene Roe ee ee 


Parse the files in the input directory one at a time 
LEELA ELA RREA AREER ER ER ERA REALE E EE REELS ERLE AA LER AR REA BER ERE AER | 
String filenames[] = inputDir.list(); 
network.networkName = inputDir.getName() ; 
for(int n=0;n<filenames.length;n++) { 
outputTestFile7.write(filenames[n] + "\r\n"); 
File inputFile = new File(inputDir,filenames[n]); 


[PEE EE REAR EE TEER EELS AEE LE RAL EE EE ER AEE E SEATS SEALER GEARS Se ee Tee 


Set up ACLs, Router Interfaces and Routers 


SERRA EEA E GE RES Ron oleae hie ge Cie pine Oa See eaettee ee eee Neen e Stee pa eerie eee 


String currenthCLnumber = new String(); 

String previousACLnumber = new String(); 

LinkedList acl = new LinkedList(); 

RouterConfig router = new RouterConfig(); 
InterfaceConfig routerInterface = new InterfaceConfig(); 


[REESE EARS A EAE ER ERE A AEE ERLE EA SEES ERASERS EE AEE REE E EA REAR EE EERE EEE 


Set up a Scanner to read the file using tokens 


LAER EERE EAE RM RIN tea See ee aR LE ne Nag AN NNN Neon eA Sete et 


Scanner scanner = null; 
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try { 
scanner = new Scanner (inputFile); 


scanner.useDelimiter("\n"); 
//scanner.useDelimiter(System.getProperty("line.separator")); 
// doesn't work for .conf files 
} catch (FileNotFoundException e) { 
System.out.printin ("File not found!"); // for debugging 
System.exit (0); // Stop program if no file found 


} 


[PERASAEE ELAR EERE AALS EER EA ELSA RASA EARLE ERS EES A RAR SEAALALE EEA AREER E 


Read each token in every scanned line 

RERAER ERAS AEE RARER ERER ARSENE RR EEEE EARS SAREE AREAS ERARRAERER EEA E REAR ES 
boolean interfaceFlag = false; // to check if interface is being processed 
/* Read line by line */ 
while (scanner.hasNext()) { 

/* Read token by token in each line */ 

Scanner lineScanner = new Scanner(scanner.next()); 

String keyword; 


if (lineScanner.hasNext()) { 
keyword = lineScanner.next(); 


[RAR ERER RARER REA EERA LER EE EEA REEREEE RARER ERLE EERE REALE ELAR ERE 


This section handles the hostname 

RARER EE EEREE AE LEAL ELLE REARS SEARLS EEA REE E EER AREA SAAS EE RERS | 

if (keyword.equals("hostname")){ 
router.hostName=lineScanner.next(); 
outputTestFile1.write(router.hostName + "\r\n"); // for debugging 


[EER EE AA EERES LENGE AR EE EAL ES ASE ALLER EERE SALES EET Se AAR ER 


This section handles the interface table creation 
MEAS RELELEEAEA REAR EERERN AAR SEES LEER ARERAEA SEES REALE EA SAAR SEER ARES 
else if (keyword.equals("interface")) { 

/* Create a new interface object */ 

routerInterface = new InterfaceConfig(); 


/* Get the interface name */ 
routerInterface.interfaceName = lineScanner.next(); 


outputTestFile1 .write(routerInterface.interfaceName 
+ "\r\n"); // for debugging 

interfaceFlag = true; 

continue; 
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This section handles the interface configuration section 
BAAKR RELA ERASE EAS EEE EERE EAE AE REE RARER EARAER ELE REE AL REARS EE EERE ARE RRA EX | 
else if (interfaceFlag) { 
/* End of interface section is denoted by ! */ 
if (keyword.equals("!")) { 
interfaceFlag = false; 


[RPE ERE RARER REAR EERE EEE AERA ERASE EEE ER EEE 


* Store interface objects in Router Config 
EERE EARTA RE RENEE ES CAPERS AE RAS EE EEA AREA ERERS EE RERES | 
/* Store object in table with name as the key */ 
if (routerInterface.interfaceName !=null) { 
/* there may be interface that didn't specify ip address 
specify here "no ip address" 
to prevent a null pointer error ***/ 
if (routerInterface.ipAddress == null) { 
routerInterface.ipAddress = "no ip address’; 


router.tableOflnterfaceByNames.put 
(routerInterface.interfaceName, routerInterface); 
} 


/* Store object in table with ip as the key 
If no ip, object will not be stored */ 
if (routerInterface.ipAddress != null && 
lrouterInterface.ipAddress.equals("no ip address") ) 
router.tableOflnterfaceByIPs.put 
(routerInterface.ipAddress, router|nterface); 
continue; 


/* Handle lines that begin with "ip" */ 
else if (keyword.equals("ip")) { 
outputTestFile1.write (keyword + " |"); // for debugging 
String IP_argument_1, IP_argument_2, IP_argument_3; 
IP_argument_1 = lineScanner.next(); 
if (IP_argument_1.equals("address") || 
IP_argument_1.equals("access-group")){ 
IP_argument_2 = lineScanner.next(); 
IP_argument_3 = lineScanner.next(); 


if (IP_argument_1.equals ("address")){ 
routerInterface.ipAddress = IP_argument_2; 
router|Interface.ipMask = IP_argument_3; 


else if (IP_argument_1.equals ("access-group")) { 
if (IP_argument_3.equals("in")) 
routerInterface.inFilters.add(IP_argument_2); 
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else if (IP_argument_3.equals("out")) 
routerInterface.outFilters.add(IP_argument_2); 


} 
outputTestFile1.write (keyword + "|" +IP_argument_1+"|" 
+ IP_argument_2+"|"+IP_argument_3 + "\r\n" ); 


// for debugging 
} 
} // End of else if (keyword.equals("ip")) 


/* Handles interfaces with no ip specified, keyword "no" */ 
else if (keyword.equals("no")) { 
String nextArgument = lineScanner.next(); 
if (nextArgument.equals("ip")) { 
nextArgument = lineScanner.next(); 
if (nextArgument.equals("address")) { 
routerInterface.ipAddress = "no ip address’; 
outputTestFile1.write (keyword + "| no ip address + \r\n"); 


} 


} 
} // End of else if (keyword.equals("no")) 
} // end of else if (interfaceFlag) 


Yai aa ae ala Naa aaa aa aie a ake aa aaa aad ale ala 


This section handles ACL rules that start with "access-list" 
ene ee ene Ne A ymca ei cee eee me nO stew iran meek eon mae nine Ae ko ite eo 
else if (keyword.equals("access-list")) { 

labelBreakHere: { 

int i = 0; 
ACLrule aclRule = new ACLrule(); 
aclRule.accessList = keyword; 


[ERE EERE EE EERE LEELA EES EERE AE EE EE 


* read access-list into argument array 
* Although only 18 needed, 

* allocated 12 extra to read options 

* not handled 


RELATE EE ERE A EE EATS en a ee LA SRA, 


String[] argument = new String[80] ; 


while (lineScanner.hasNext()) { 
argumenit[i] = lineScanner.next(); 
if (argument[i].equals ("!")) break; 
i++; 


} 


// Test Function 1 : output argument array into a test file 
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// for checking 

outputTestFile1.write (keyword + " | "); 

for (int j=0; j<i; j++) outputTestFile1.write (argument[j] +" |"); 
// end of Test Function 1 


[PE PRAARESERE MASSER EE REAE EEE TREE LENE AAS EARS EE SL ASARE REAL EEEAS EAS EERE 


Parse argument array into correct ACL rule structure 
RERRESAE ANAK AREA REAL REAR RESELLER EERE RA RA EEL RARE EERE RELA EER KE REAR ERS | 
if (argument[0].equals ("rate-limit")) break labelBreakHere; 
// Skip this section if "rate-limit" found 


aclRule.accessListNumber = argument([0]; 
currentACLnumber = argument[0]; 


// Initialize previousACLnumber 
if (previousACLnumber.length()==0) previousACLnumber = 
currentACLnumber; 


// Check whether this is anew ACL 
if (currenthCLnumber.equals(previousACLnumber)) ; // do nothing 
else { 

// if different ACL number, store the previous ACL in router config 
router.tableOfACLs.put(previousACLnumber, acl); 
outputTestFile5.write("\r\nPrevious ACL #" + 

previousACLnumber 
+ "\r\nCurrent ACL #" + currentACLnumber + "\r\n"); 
outputTestFile5.write(acl + "\r\n"); 
acl = new LinkedList(); 
previousACLnumber = currentACLnumber; 


} 


int k = 1; 
//k is a position marker used to check the rest of the ACL 


[PERERA AR ERER ESE ERE EERE EL EER ER EERE ELRE EE REE EERE REBEL EE EEE REE 


Parse the rest of the ACL rule 
RA RIS RRR peta toe BLA ON oe SR ROR, Ak NDS ee MORN Om ree MRC ee A a 
if (argument|[k].equals ("remark") ) { // No need to parse 
// further if ACL contains "remark" 
aclRule.remark=true; 
k=i; 
} 
while (k<i) { 
// check whether ACL is permit or deny 
boolean checkPermitDeny = false; 
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// track whether this is a standard IP Access List 
boolean standardIPAccess_List = false ; 

// track whether this is an extended IP Access List 
boolean extendedIPAccess_List = false ; 


[SE EMEAREELS ARSE EA TRER RE REAR A EERE REAR SERS LAS AERA RARER REE EERE ES EEA EEE EE 


This section handles the Dynamic part in an ACL rule 
SEAL LE EE REALE RELL EERE RARER ERIE BERRA RS RR EEEA ERS ER EA ARLE BERK REAR EE 
if (argument[k].equals ("dynamic")) { 
aclRule.dynamic="dynamic"; 
K++; 
aclRule.dynamicName=argument|k]; 


} 


[AREA A NAAN RE RA tee pe Boe RE gen hae a Te at nen tI Ae Nee en NR es henge 


This section handles the Timeout part in an ACL rule 


ERLE RARE RARE RELA D SARE es SORES EES RA EEE A NESS MERA AA ES | 


// timeout section to be added 


[PERERA EE SE SEERA EEK ERE ERNIE LEER ER EEA SEER ERE E ELAR AEE REESE ERE EE 


This section handles the Permit and Deny keywords 
in an ACL rule 
SEEAA EERE REAR RAER AEE LERE RARER RAE ICRS BE RER ASAI ER ER EARLS ARIEL RARER EERE EH | 
if (argument[k].equals ("permit")) { 
aclRule.permitDeny="permit"; 
k++; 
checkPermitDeny = true; 


else if (argument[k].startsWith("deny")) { 
// .equals doesn't work here 
aclRule.permitDeny="deny"; 
k++; 
checkPermitDeny = true; 


} 


[ORE AE AREAS REELS TERA LAER EEA Se RS RARER EERE AEE EL SEE EEAS EE ARNE 


This section handles the Protocol, Source 

and Destination parts in an ACL rule 

Entry into this section only after "Permit" or "Deny" found 
RENAE EAR AA Neen es ee eee SEES RAANLES LEAL EAA SEAS eee RARER A 
if (checkPermitDeny) { 

// check whether ACL is standard or extended 

if (Integer.valueOf(currentACLnumber)>=1 && 

Integer.valueOf(currentACLnumber)<=99 ) 
standardiPAccessList=true ; 
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else if (Integer.valueOf(currenthCLnumber)>=100 && 
Integer.valueOf(currentACLnumber)<=199 ) 
extended|IPAccessList=true; 
else if (Integer.valueOf(currenthCLnumber)>=1300 && 
Integer.valueOf(currentACLnumber)<=1999 ) 
standardlPAccessList=true ; 
else if (Integer.valueOf(currenthACLnumber)>=2000 && 
Integer.valueOf(currentACLnumber)<=2699 ) 
extendedliPAccessList=true; 


[PF EAASSES AA ERASE ERE ERE SE REEAS SERA EEAEE AREAL REE 


Process standard ACL rules 
SERA EEE REE AANA RAL ES ERE RE RRA REEL EERE RAR EES | 
if (standardlPAccessList) { 
aclRule.source = argumeni{k]; //store source IP 
// Process Source Mask 
if (k+1<i) { 
if (argument[k+1].contains(".") || 
argument[k+1].contains("any")) { 
K++; 
aclRule.sourceWildcard = argument|k]; 


} 
} 
} // end of one line of Standard ACL parsing 


[POISE EEE RTE EERE REE SELES Dee AR Rene 


Process extended ACL rules 
SEA SEL IL REESE NASA E EEE EES EE eA EAL SERRA 
else if (extendedIPAccessList) { 
aclRule.protocolLower = GetProtocolNumber 
(argument{[k]); 
if (aclRule.protocolLower.equals("256")) { 
aclRule.protocolLower = "0"; 
aclRule.protocolUpper = "255"; 


else aclRule.protocolUpper = aclRule.protocolLower; 
K++; 


[ERE SI ER EE EERE EEE EERE EES ERE AEE RIL 


Process source fields 
SRA CRREE EL REESE LER REAL SLES RADE Se OR A 
if (argument|[k].equals("any")) { 
aclRule.source = argumeni[k]; 
K++; 
k = ParsePort (aclRule, argument, k, "Source"); 


} 
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else if (argument[k].equals("host")) { 
K++; 
aclRule.source = argumeni|k]; 
K++; 
k = ParsePort (aclRule, argument, k, "source"); 


else { 
aclRule.source = argumenit|k]; 
k++; 
aclRule.sourceWildcard = argument|k]; 
K++; 


k = ParsePort (aclRule, argument, k, "source"); 


} 


[EN EE EAS BEER AREER AS CEREAL RENAE 


Process destination fields 
SEARED AERRAE SEARLE ELEN D BEARER ELSE ESE AEE EE SE | 
/*** |f the destination keyword is "any" ***/ 
if (argument[k].equals("any")) { 
aclRule.destination = argument|[k]; 
K++; 
if (argument[k]!=null) 
k = ParsePort (aclRule, argument, k, "destination"); 


else if (argument[k].equals("host")) { 
K++; 
aclRule.destination = argumenit[k]; 
K++; 
if (argument[k]!=null) 
k = ParsePort (aclRule, argument, k, "destination"); 


else { 
aclRule.destination = argument{[k]; 
K++; 
aclRule.destinationWildcard = argument[k]; 
K++; 


if (argument[k]!=null) 
k = ParsePort (aclRule, argument, k, "destination"); 


} 
} // end of one line of Extended ACL parsing 
} // End of protocol, source and destination parts 


[BE REEABEESA LASSE REEREREE ELAS ES EEEL ESAS SERA NES SERA AAESE RR ARE EER AS EERE EES EE 


This section handles the precedence, tos and log parts 
in an ACL rule 


SEAAAEREAEE AA REARS LE RA EE RAE RELA REEL ER ERS EA ER ER AE EE REARS AS EEE EREAR CARRE 
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// to be added 
// end of precedence, tos and log parts 


K++; 


} 


new DebugTools().IntermediateParserCheck(aclRule, 
outputTestFile2); // for debugging 
outputTestFile1.write ("\r\n" ); // for debugging 


// Add current ACL line to the Linked List 
// if it is not meant as a remark 
if (aclRule.remark==false) acl.add(aclRule); 


} // end of labelBreakHere 
} // End of section handling ACLS that start with "access-list 


} 


} // end of while (scanner.hasNext()) 


[PEREESER ES EEE EE EEE SEAR EL ELSE LE ESSE ERE EERE AE ERAS 


* Check whether this is anew ACL 
RAL EREAL ERNE AREER EEA EAR REEA EERE EARS CREEL EERE EE | 
if (currenthCLnumber.equals(previousACLnumber)) { 
router.tableOfACLs.put(previousACLnumber, acl); 
outputTestFile5.write("\r\n" + previousACLnumber + "\r\n" 
+ currentACLnumber + "\r\n"); // for debugging 
outputTestFile5.write(acl + "\r\n"); // for debugging 


} 


outputTestFile4.printIn(router); 
outputTestFile6.printIn(routerInterface); 

new DebugTools().CheckLastACLOutput(acl,outputTestFile3); 
// System.out.printIn(router.hostName); // for debugging 


[PIE EES SEEKER EAS BEES NE SRE REA LEER EAE SERENE Ee 


Save the router to the tableOfRouters object 
in the network, using its hostname as the key 


RERAAERREAEE ESLER ARLE ELAR EERE LELE EARS AREER A EEE AERAA REALE E SAR EEE ES | 


if (router.hostName!=null) network.tableOfRouters.put 
(router.hostName, router); 


} // end of for loop search files in folder 
/*** Close all the debugging/test files ***/ 
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outputTestFile1 .close(); 
outputT estFile2.close(); 
outputTestFile3.close(); 
outputTestFile4.close(); 
outputT estFile5.close(); 
outputT estFile6.close() 

() 


outputTestFile7.close 


3 
3 


3 


EE EAE EEE EEE EE EEE EES Sa ER AEARE LARS EER EERE ELSE AREER EES 


Determine which routers are the neighbors of which 
REREEERERAESARAEAS SEALERS E RAAA LEER ES AER ESLER LEAR SE RANA SSR TRER ERE EAS AEE | 
boolean successProcessNeighbors = 

ProcessNeighbors(network.tableOfRouters); 


[ORI EEE EERE ARLE RELA LE ERS RERE EE SERRE EEA LR RRARARA SEE MARES ERR EE 


Create packet sets for all the routers in the network 


EE AE AREER EE REAR E AREAS EERE EAA EAS SLR EE SEEN AREER RAE RSA EE | 


new PacketSet().CreateAllPacketSets (network); 


[EERE EERE Rae EE EEA EEEE RENE SNE RMI Ribre heen we MR eae Sank aoa ROR ne ope 


Send the network data to the output directory 


SERS SERENE REREEAE SERENE AAR EE AA EES EE AKER EAS EERE ER RERAS ER ERLE EERE ELAR ES | 


new NetworkDataDump(network, outputDir); 


[RE AREER RR ee ChE SG eRe Sieg Daye ews ep Ta erat eh eee a Ne ean aa Ronee ope 


Notify user the parsing has been completed 
LEELA ELAR AALS BELEK SERRA REEL AE EE RENAE LS LEREEE AA LENA REEL SERRE EERE | 
System.out.printin("\r\n\r\n----> Successful completion of parsing <----\r\n"); 
} // end of Parser 


[ERE EE AREER RARE RE EERE EARLE EE EER AERA EERE EERE EEE RELEASES EEE LE EE EA ERE EE 
* 


* 


Function to determine the neighbors of routers in a network. 
* Checks the interface on each router against the interface on every other 


router. 
* Store the IPs of each router's neighbors in its respective interface objects. 


* 


a ecco a Sa ie oa ea Ea a a ha ac ae ee Aa | 


boolean ProcessNeighbors (Hashtable HT1) { 
boolean success=false; 
Hashtable interfaceTable1, interfaceTable2; 
int routerCounter = 0; 
RouterConfig currentRouter; 
Enumeration routerList = HT1.elements(); 


try { 
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while ( routerList.hasMoreElements() ) { 
currentRouter = (RouterConfig) routerList.nextElement(); 
System.out.println("------- Processing Neighbors ------ Router : 
+ currentRouter.hostName) ; // for debugging 
routerCounter ++; 


Enumeration routerList2 = HT1.elements(); 
RouterConfig routerToCompare = null; 


//skip some routers 
for (int i = 0; i < routerCounter; i++) { 
if (routerList2.nhasMoreElements()) router.oCompare = 
(RouterConfig) routerList2.nextElement(); 


} 


while (routerList2.hasMoreElements()) { 
router.ToCompare = (RouterConfig) routerList2.nextElement(); 
Enumeration interfaceList = 
currentRouter.tableOflnterfaceByNames.elements(); 


while (interfaceList.hasMoreElements()) { 
InterfaceConfig currentinterface = 
(InterfaceConfig) interfaceList.nextElement(); 
Enumeration interfaceList2 = 
routerT oCompare.tableOflnterfaceByNames.elements(); 


while (interfaceList2.nasMoreElements()) { 


InterfaceConfig interface ToCompare = 
(InterfaceConfig) interfaceList2.nextElement(); 
String prefix1, prefix2 ; 
if (currentInterface.ipAddress.equals("no ip address") || 
interface T oCompare.ipAddress.equals("no ip address")) { 
success=false; 
} 
else if (currentInterface.ipAddress.equals 
(interfaceToCompare.ipAddress)) { 
// do nothing 
} 
else if (currentInterface.ipMask.equals 
(interface ToCompare.ipMask)) { 
prefix! = GetPrefix (currentInterface.ipAddress, 
currentinterface.ipMask); 
prefix2 = GetPrefix (interface ToCompare.ipAddress, 
interface ToCompare.ipMask); 
if (prefix1.equals(prefix2)) { // they are neighbors 
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currentinterface.neighbors.add(interface ToCompare.ipAddress); 


interface ToCompare.neighbors.add(currentinterface.ipAddress); 
success=true; 
} 


} // end of while (interfaceList2.hasMoreElements()) 
} // end of while (interfaceList.hasMoreElements()) 
} // end of while (routerList2.hasMoreElements()) 
} // end of while ( routerList.hasMoreElements() ) 
} catch (Exception e) { System.out.println ("Error - " + e); } 
return success; 


} 


Yala Ca a ia a SE aA A ee aes a aaa a a al Sarl a a a 


x 


Function to calculate the network prefix of an IP address. 
Input : IP address (string), IP mask (string) 
Output : Network prefix (string) 


* 


SN RENESAS an wR ge ie LN Rae ha eRe en etn Ce tie RN HET Re een ten Re Teh eee enh 


String GetPrefix (String ip, String mask) { 
String Prefix; 
int ipOctet1 =0, ipOctet2=0, ipOctet3=0, ipOctet4=0; 
int maskOctet1=0, maskOctet2=0, maskOctet3=0, maskOctet4=0; 


/*** Break up ip string into octets ***/ 
Scanner s = new Scanner(ip).useDelimiter("\\."); 
ipOctet1 = Integer.parselnt(s.next()); 

ipOctet2 = Integer.parselnt(s.next()); 

ipOctet3 = Integer.parselnt(s.next()); 

ipOctet4 = Integer.parselnt(s.next()); 
/*** Break up mask string into octets ***/ 

s = new Scanner(mask).useDelimiter("\\."); 
maskOctet1 = Integer.parselnt(s.next()); 
maskOctet2 = Integer.parselnt(s.next( 
maskOctet3 = Integer.parselnt(s.next( 
maskOctet4 = Integer.parselnt(s.next( 


)); 
)); 

)); 

/*** Determine the network prefix based on the ip and mask ***/ 
Prefix = Integer.toString(ipOctet1 & maskOctet1) + "." + 


Integer.toString(ipOctet2 & maskOctet2) + "." 
Integer.toString(ipOctet3 & maskOctet3) + "." 
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Integer.toString(ipOctet4 & maskOctet4); 


return Prefix; 


} 


[SEA EE EERE EEL EE REO ONS Ee TE Re Re ep Me eR Sa ee eis MAT RN Ee ee he ee 


* 


Function to convert ports in an ACL rule to its IANA number assignment. 
* Input : ACL rule (ACLrule), parsed argument (string), position k (int), 
port name or number (string) 
* Output : position k, which is one position after reading the port arguments 
* The upper and lower port numbers are stored in the ACL rule that was 


Limitation: Does not handle neq operator yet 


RE Ee RES ne ARTE AE A Mongo n sem ge Te Rea eta r ng ek gn Nae nS eRe Ae ee cee nae ee 


int ParsePort (ACLrule aclRule, String[] argument, int k, String port) { 


// handles eq, gt, It, range 
// to include handling for neq 
if (argument[k].equalslgnoreCase("eq")) { // handles eq 
k++; 
if (port.equals("source")) { 
aclRule.sourcePortLower = GetPortNumber (argumeni[k]); 
aclRule.sourcePortUpper = aclRule.sourcePortLower; 
K++; 
} 
else if (port.equals("destination")) { 
aclRule.destinationPortLower = GetPortNumber (argument{[k]); 
aclRule.destinationPortUpper = aclRule.destinationPortLower; 
} 
} 
else if (argument[k].equalslgnoreCase("gt")) { 
k++; 
if (port.equals("source")) { 
aclRule.sourcePortLower = GetPortNumber (argumenit|k]); 
k++; 
} 
else if (port.equals("destination")) 
aclRule.destinationPortLower = GetPortNumber (argument{[k]); 
} 
else if (argument[k].equalsignoreCase("It")) { 
K++; 
if (port.equals("source")) { 
aclRule.sourcePortUpper = GetPortNumber (argumenit|k]); 
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K++; 
} 
else if (port.equals("destination")) 
aclRule.destinationPortUpper = GetPortNumber (argument{[k]); 
} 


else if (argument[k].equalslgnoreCase("range")) { 
K++; 
if (port.equals("source")) { 
aclRule.sourcePortLower = GetPortNumber (argumenit[k]); 
K++; 
aclRule.sourcePortUpper = GetPortNumber (argument[k]); 
K++; 
} 
else if (port.equals("destination")) { 
aclRule.destinationPortLower = GetPortNumber (argument{[k]); 
K++; 
aclRule.destinationPortUpper = GetPortNumber (argument{[k]); 
} 
} 


return k; 


} 


[REE AEE EE LAL ELE SEE RENEE DARA Me hie BRAN A, eee SAR eon nin ee RAE Man ng ee NR Ne 


* 


Function to lookup the IANA number assignment of a port. 
* Input : port name or number (string) 
* Output : port number (string) 


PEAAERE EERE AS EE AREA EL ERL AA ERR LOA eT eg Re Ae SCRA SN RO EE Re eM Ne ee ea eee ee 


String GetPortNumber (String port) { 
String portNumber; 
// Note switch statement does not work with strings 
if (port.equalslgnoreCase("tcomux")) portNumber = "1"; 
else if (port.equalsiIgnoreCase("ftp-data")) portNumber = "20"; 
else if (port.equalslgnoreCase("ftp")) portNumber = "21"; 
else if (port.equalslgnoreCase("ssh")) portNumber = "22"; 
else if (port.equalslgnoreCase("telnet")) portNumber = "23"; 
else if (port.equalsignoreCase("smtp")) portNumber= "25"; 
else if (port.equalslgnoreCase("dsp")) portNumber= "33"; 
else if (port.equalslgnoreCase("time")) portNumber= "37"; 
else if (port.equalsignoreCase("rap")) portNumber= "38"; 
else if (port.equalsignoreCase("rlp")) portNumber= "39"; 
else if (port.equalsignoreCase("name")) portNumber= "42"; 
else if (port.equalsilgnoreCase("nameserver")) portNumber= "42"; 
else if (port.equalslgnoreCase("nicname")) portNumber= "43"; 
else if (p "dns")) portNumber = "53"; 


ST a a SS Tle 


ort.equalslgnoreCase 
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else if (port.equalslgnoreCase("domain")) portNumber = "53"; 
else if (port.equalslgnoreCase("bootps")) portNumber = "67"; 
else if (port.equalslgnoreCase("bootpc")) portNumber = "68"; 
else if (port.equalslgnoreCase("tftp")) portNumber = "69"; 
else if (port.equalslgnoreCase("gopher")) portNumber = "70"; 
else if (port.equalslgnoreCase("finger")) portNumber = "79"; 
else if (port.equalsilgnoreCase("http")) portNumber = "80"; 
else if (port.equalsignoreCase("www")) portNumber = "80"; 
else if (port.equalsignoreCase("kerberos")) portNumber = "88"; 
else if (port.equalsignoreCase("pop2")) portNumber = "109"; 
else if (port.equalsignoreCase("pop3")) portNumber = "110"; 
else if (port.equalslgnoreCase("sunrpc")) portNumber = "111"; 
else if (port.equalslgnoreCase("ident")) portNumber = "113"; 
else if (port.equalslgnoreCase("auth")) portNumber = "113"; 
else if (port.equalslgnoreCase("sftp")) portNumber = "115"; 
( ("nntp")) portNumber = ='119"; 
( ("netbios-ns")) portNumber = "137"; 
(p ("netbios-dg")) portNumber = "138"; 
( ("netbios-ss")) portNumber = "139"; 
( (“sqisrv' ')) portNumber = "156"; 
( é 
(p ( 
( ( 
(' 


else if (port.equalsiIgnoreCase 
else if (port.equalsignoreCase 
else if (port.equalsignoreCase 
else if (port.equalsignoreCase 
else if (port.equalsiIgnoreCase 
else if (port.equalsiIgnoreCase 
else if (port.equalslgnoreCase("bgp")) portNumber = "179"; 
else if (port.equalslgnoreCase("exec")) portNumber = "512"; 
else if (port.equalslgnoreCase("shell")) portNumber = "514"; 
else portNumber = port; 

return portNumber; 


} 


[SEE AELER EAE S ESE EE REE SEA EEAS EE UAER ARE REAL EELE LEAS SELES ERLE EE EALEE EEE Ree eh eh 


snmp")) portNumber = "161"; 


* 


* Function to lookup the IANA number assignment of a protocol. 
* Input : protocol name or number (string) 
* Output : protocol number (string) 


RAR LERL AEE AA REE LEER REAR EEE K ELLER EEK EERE RERA EERE EK AREER EEE A RESELLER EEERE EE 


String GetProtocolNumber (String protocol) { 
String protocolNumber; 
if(protocol.equalsignoreCase("icmp")) protocolNumber = "1" ; 
else if(protocol.equalslgnoreCase("igmp")) protocolNumber = "2" ; 
//else if(protocol.equalsignoreCase("ip")) protocolNumber = "4" ; 
else if(protocol.equalslgnoreCase("ip")) protocolNumber = "256" ; 

// special case to indicate all protocols. No actual protocol number 256. 

else if(protocol.equalslgnoreCase("tcp")) protocolNumber = "6" ; 
else if(protocol.equalslgnoreCase("egp")) protocolNumber = "8" ; 
else if(protocol.equalslgnoreCase("igp")) protocolNumber = "9" ; 
else if(protocol.equalslgnoreCase("udp")) protocolNumber = "17" ; 
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else if(protocol.equalslgnoreCase("rdp")) protocolNumber = "27" ; 
else if(protocol.equalslgnoreCase("ipv6")) protocolNumber = "41" ; 
') 


( 
( 
else if(protocol.equalslgnoreCase("rsvp")) protocolNumber = "46" ; 
( 
( 


pe pe je, 


else if(protocol.equalslgnoreCase("eigrp")) protocolNumber = "88" ; 
else if(protocol.equalslgnoreCase("I2tp")) protocolINumber = "115" ; 
else protocolNumber = protocol ; 

return protocolNumber; 


} 


} //Parser 
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I. PARSERGUI.JAVA 
package StaticReachabilityAnalysis; 
ia 

* ParserGUI.java 

* Main Class File 


* 


* Created : November 18, 2006 

* Last Modified : November 30, 2006 
* Author : Eric Gregory Wong 

a 


import java.io.*; 
import javax.swing.*; 


public class ParserGUI extends javax.swing.JFrame { 
NetworkConfig network; 
String outputDirString; 
String programVersion = "Version 1.0"; 


/** Creates new form ParserGUI */ 
public ParserGUI() { 


initComponents(); 


} 


/** This method is called from within the constructor to 
* initialize the form. 
* WARNING: Do NOT modify this code. The content of this method is 
* always regenerated by the Form Editor. 
a 
// <editor-fold defaultstate="collapsed" desc=" Generated Code "> 
private void initComponents() { 
jPopupMenui1 = new javax.swing.JPopupMenu(); 
jPanel2 = new javax.swing.JPanel(); 
jButton1 = new javax.swing.JButton(); 
jLabel1 = new javax.swing.JLabel(); 
jLabel2 = new javax.swing.JLabel(); 
jSeparator1 = new javax.swing.JSeparator(); 
jButton2 = new javax.swing.JButton(); 
jLabel3 = new javax.swing.JLabel(); 
jTextField1 = new javax.swing.JT extField(); 
jButton3 = new javax.swing.JButton(); 
jLabel4 = new javax.swing.JLabel(); 
jTextField2 = new javax.swing.JT extField(); 
jButton4 = new javax.swing.JButton(); 
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jLabel6 = new javax.swing.JLabel(); 
jButton5 = new javax.swing.JButton(); 
jLabel7 = new javax.swing.JLabel(); 
jLabel5 = new javax.swing.JLabel(); 
jButton6 = new javax.swing.JButton(); 


org.jdesktop.layout.GroupLayout jPanel2Layout = new 
org.jdesktop.layout.GroupLayout(jPanel2); 

jPanel2.setLayout(jPanel2Layout); 

jPanel2Layout.setHorizontalGroup( 


jPanel2Layout.createParallelGroup(org.jdesktop.layout.GroupLayout.LEADING) 
.add(0, 100, Short.MAX_VALUE) 


jPanel2Layout.setVerticalGroup( 


jPanel2Layout.createParallelGroup(org.jdesktop.layout.GroupLayout.LEADING) 
.add(0, 100, Short. MAX_VALUE) 


); 


setDefaultCloseOperation(javax.swing.WindowConstants.EXIT_ON CLOSE); 
setBackground(new java.awt.Color(255, 255, 255)); 
jButton1.setText("Parse Now"); 
jButton1 .addActionListener(new java.awt.event.ActionListener() { 
public void actionPerformed(java.awt.event.ActionEvent evt) { 
jButton1 ActionPerformed(evt); 
} 


jButton1.addMouseListener(new java.awt.event.MouseAdapter() { 
public void mouseClicked(java.awt.event.MouseEvent evt) { 
jButton1 MouseClicked(evt); 


public void mouseReleased(java.awt.event.MouseEvent evt) { 
jButton1 MouseReleased(evt); 
} 


}); 


jLabel1.setFont(new java.awt.Font("Arial", 0, 12)); 
jLabel1.setText("Step 1 : Type or browse for the source and destination 
directories"); 
jLabel1.addPropertyChangeListener(new 
java.beans.PropertyChangeListener() { 
public void propertyChange(java.beans.PropertyChangeEvent evt) { 
jLabel1 PropertyChange(evt); 
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jLabel2.setFont(new java.awt.Font("Arial", 1, 28)); 
jLabel2.setText("STATIC REACHABILITY ANALYSIS TOOLKIT"); 


jButton2.setText("Calculate Reachability Bounds"); 
jButton2.setEnabled(false); 
jButton2.setOpaque (false); 
jButton2.addActionListener(new java.awt.event.ActionListener() { 
public void actionPerformed(java.awt.event.ActionEvent evt) { 
jButton2ActionPerformed(evt); 


} 


}); 
jButton2.addMouseListener(new java.awt.event.MouseAdapter() { 
public void mouseClicked(java.awt.event.MouseEvent evt) { 
jButton2MouseClicked(evt); 


} 
}); 


jLabel3.setFont(new java.awt.Font("Arial", 0, 16)); 
jLabel3.setText("Source Directory :"); 


jTextField1.setFont(new java.awt.Font("Arial", 0, 14)); 
jTextField1.setText("D:\\Routers"); 
jTextField1.addMouseListener(new java.awt.event.MouseAdapter() { 
public void mouseClicked(java.awt.event.MouseEvent evt) { 
jTextField1 MouseClicked(evt); 


} 
}); 


jButton3.setText("Browse"); 
jButton3.addMouseListener(new java.awt.event.MouseAdapter() { 
public void mouseClicked(java.awt.event.MouseEvent evt) { 
jButton3MouseClicked(evt); 
} 
}); 


jLabel4.setFont(new java.awt.Font("Arial", 0, 16)); 
jLabel4.setText("Destination Directory :"); 


jTextField2.setFont(new java.awt.Font("Arial", 0, 14)); 
jTextField2.setText("D:\\Output"); 
jTextField2.addMouseListener(new java.awt.event.MouseAdapter() { 
public void mouseClicked(java.awt.event.MouseEvent evt) { 
jTextField2MouseClicked(evt); 
} 
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jButton4.setText("Browse"); 
jButton4.addMouseListener(new java.awt.event.MouseAdapter() { 
public void mouseClicked(java.awt.event.MouseEvent evt) { 
jButton4MouseClicked(evt); 


} 
}); 


jLabel6.setFont(new java.awt.Font("Arial", 0, 12)); 
jLabel6.setText("Step 2 : Click on \"Parse Now\" to begin parsing the router 
configuration files in the source directory"); 
jLabel6.addPropertyChangeListener(new 
java.beans.PropertyChangeListener() { 
public void propertyChange(java.beans.PropertyChangeEvent evt) { 
jLabel6PropertyChange(evt); 


} 
}); 


jButton5.setText("Quit"); 
jButton5.addActionListener(new java.awt.event.ActionListener() { 
public void actionPerformed(java.awt.event.ActionEvent evt) { 
jButton5ActionPerformed(evt); 


} 
RE 


jLabel7.setlcon(new javax.swing.Imagelcon("D:\\NPS\\Thesis\\Static 
Reachability Analysis Program\\Static Reachability 
Analysis\\src\\StaticReachabilityAnalysis\\NPS-logo.jpg")); 

jLabel7.setVerticalAlignment(javax.swing.SwingConstants. TOP); 


jLabel5.setFont(new java.awt.Font("Arial", 0, 12)); 
jLabel5.setText("Attention: existing contents of destination directory will be 


deleted when parsing starts"); 


jButton6.setText("About"); 
jButton6.addMouseListener(new java.awt.event.MouseAdapter() { 
public void mouseClicked(java.awt.event.MouseEvent evt) { 
jButton6MouseClicked(evt); 


} 
}); 


org.jdesktop.layout.GroupLayout layout 
org.jdesktop.layout.GroupLayout(getContentPane()); 

getContentPane().setLayout(layout); 

layout.setHorizontalGroup( 


new 
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layout.createParallelGroup(org.jdesktop.layout.GroupLayout.LEADING) 
.add(layout.createSequentialGroup() 


.add(layout.createParallelGroup(org.jdesktop.layout.GroupLayout.LEADING) 
.add(layout.createSequentialGroup() 
.add(30, 30, 30) 


.add(layout.createParallelGroup(org.jdesktop.layout.GroupLayout.LEADING) 
.add(layout.createSequentialGroup() 
.add(jLabel7, 
org.jdesktop.layout.GroupLayout.PREFERRED_ SIZE, 138, 
org.jdesktop.layout.GroupLayout.PREFERRED_ SIZE) 


.addPreferredGap(org.jdesktop.layout.LayoutStyle. RELATED) 
.add(jLabel2)) 
.add(layout.createSequentialGroup() 


.add(layout.createParallelGroup(org.jdesktop.layout.GroupLayout.LEADING) 
.add(jLabel3) 
.add(jLabel4)) 
.add(26, 26, 26) 


.add(layout.createParallelGroup(org.jdesktop.layout.GroupLayout.LEADING) 
.add(layout.createSequentialGroup() 

.add(jTextField1, 
org.jdesktop.layout.GroupLayout.PREFERRED_ SIZE, 408, 
org.jdesktop.layout.GroupLayout.PREFERRED_ SIZE) 

.add(23, 23, 23) 

.add(jButton3)) 

.add(layout.createSequentialGroup() 

.add(jTextField2, 
org.jdesktop.layout.GroupLayout.PREFERRED_ SIZE, 408, 
org.jdesktop.layout.GroupLayout.PREFERRED_ SIZE) 

.add(23, 23, 23) 

.add(jButton4)) 

.add(jLabel5, 
org.jdesktop.layout.GroupLayout.DEFAULT_SIZE, 599, Short.MAX_VALUE))))) 
.add(layout.createSequentialGroup() 
.add(20, 20, 20) 


.add(layout.createParallelGroup(org.jdesktop.layout.GroupLayout. TRAILING, 
false) 

.add(org.jdesktop.layout.GroupLayout._LEADING, jLabel1, 
org.jdesktop.layout.GroupLayout.DEFAULT_SIZE, 
org.jdesktop.layout.GroupLayout.DEFAULT_ SIZE, Short. MAX_VALUE) 
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.add(org.jdesktop.layout.GroupLayout.LEADING, jLabel6, 
org.jdesktop.layout.GroupLayout.PREFERRED_SIZE, 603, 
org.jdesktop.layout.GroupLayout.PREFERRED_SIZE))) 

.add(layout.createSequentialGroup() 

.addContainerGap() 

.add(jSeparator1, 
org.jdesktop.layout.GroupLayout.PREFERRED_SIZE, 799, 
org.jdesktop.layout.GroupLayout.PREFERRED_SIZE))) 

.addContainerGap()) 

.add(org.jdesktop.layout.GroupLayout. TRAILING, 

layout.createSequentialGroup() 

.addContainerGap(228, Short. MAX_VALUE) 

.add(jButton1) 

.add(80, 80, 80) 

.add(jButton2) 

.add(145, 145, 145) 


.add(layout.createParallelGroup(org.jdesktop.layout.GroupLayout. TRAILING, 
false) 

.add(jButton5, org.jdesktop.layout.GroupLayout.DEFAULT_ SIZE, 
org.jdesktop.layout.GroupLayout.DEFAULT_ SIZE, Short. MAX_VALUE) 

.add(jButton6, org.jdesktop.layout.GroupLayout.DEFAULT_ SIZE, 
org.jdesktop.layout.GroupLayout.DEFAULT_ SIZE, Short. MAX_VALUE)) 

.add(47, 47, 47)) 
i 


layout.setVerticalGroup( 
layout.createParallelGroup(org.jdesktop.layout.GroupLayout.LEADING) 
.add(layout.createSequentialGroup() 


.add(layout.createParallelGroup(org.jdesktop.layout.GroupLayout.LEADING) 
.add(layout.createSequentialGroup() 

.add(30, 30, 30) 

.add(jLabel7, 
org.jdesktop.layout.GroupLayout.PREFERRED_SIZE, 104, 
org.jdesktop.layout.GroupLayout.PREFERRED_SIZE)) 

.add(layout.createSequentialGroup() 

.add(67, 67, 67) 

.add(jLabel2))) 

.add(49, 49, 49) 


.add(layout.createParallelGroup(org.jdesktop.layout.GroupLayout. TRAILING) 
.add(jLabel4) 
.add(layout.createSequentialGroup() 


.add(layout.createParallelGroup(org.jdesktop.layout.GroupLayout.BASELINE) 
.add(jButton3) 
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.add(jTextField1, 
org.jdesktop.layout.GroupLayout.PREFERRED_ SIZE, 
org.jdesktop.layout.GroupLayout.DEFAULT_SIZE, 
org.jdesktop.layout.GroupLayout.PREFERRED_ SIZE) 

.add(jLabel3)) 

.add(39, 39, 39) 


.add(layout.createParallelGroup(org.jdesktop.layout.GroupLayout.BASELINE) 
.add(jTextField2, 
org.jdesktop.layout.GroupLayout.PREFERRED_ SIZE, 
org.jdesktop.layout.GroupLayout.DEFAULT_ SIZE, 
org.jdesktop.layout.GroupLayout.PREFERRED_ SIZE) 
.add(jButton4)))) 
.addPreferredGap(org.jdesktop.layout.LayoutStyle. RELATED) 
.add(jLabel5) 


.add(layout.createParallelGroup(org.jdesktop.layout.GroupLayout.LEADING) 
.add(layout.createSequentialGroup() 
.addPreferredGap(org.jdesktop.layout.LayoutStyle. RELATED, 33, 
Short.MAX_VALUE) 


.add(layout.createParallelGroup(org.jdesktop.layout.GroupLayout.BASELINE) 

.add(jButton1) 
.add(jButton2)) 

.add(30, 30, 30)) 

.add(layout.createSequentialGroup() 

.add(17, 17, 17) 

.add(jButton6) 

.addPreferredGap(org.jdesktop.layout.LayoutStyle. RELATED) 

.add(jButton5) 

.add(17, 17, 17))) 

.add(jSeparator1, 
org.jdesktop.layout.GroupLayout.PREFERRED_ SIZE, 
org.jdesktop.layout.GroupLayout.DEFAULT_SIZE, 
org.jdesktop.layout.GroupLayout.PREFERRED_ SIZE) 

.addPreferredGap(org.jdesktop.layout.LayoutStyle. RELATED) 

.add(jLabel1 ) 

.addPreferredGap(org.jdesktop.layout.LayoutStyle. RELATED) 

.add(jLabel6) 

.addContainerGap(org.jdesktop.layout.GroupLayout.DEFAULT_SIZE, 
Short.MAX_VALUE)) 

iF 
pack(); 
// </editor-fold> 


private void jButton1 MouseReleased(java.awt.event.MouseEvent evt) { 
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// TODO add your handling code here: 
jLabel1.setText("Parsing in progress ...... 2) 
jLabel6.setText(" "); 

} 


private void jButton6MouseClicked(java.awt.event.MouseEvent evt) { 
// TODO add your handling code here: 
JFrame frame2 = new JFrame(); 
JOptionPane.showMessageDialog(frame2,"Developed by Eric Wong and 


"Geoffrey Xie, \r\nDepartment of Computer Science,\r\n" + 

"Naval Postgraduate School,\r\nNovember 2006.\r\n - " + 

programVersion, "About this tool", 
JOptionPane.INFORMATION_ MESSAGE); 


} 


private void jButton5ActionPerformed(java.awt.event.ActionEvent evt) { 
// TODO add your handling code here: 
System.exit(0); 
} 


private void jLabel6PropertyChange(java.beans.PropertyChangeEvent evt) { 
// TODO add your handling code here: 
} 


private void jButton4MouseClicked(java.awt.event.MouseEvent evt) { 
// TODO add your handling code here: 
String filename = jTextField2.getText(); 
JFileChooser chooser = new JFileChooser(new File(filename)); 
chooser.setApproveButtonT ext("Ok"); 
chooser.setApproveButtonToolTipText("Press OK after selecting a source 
directory"); 
chooser.setBackground(java.awt.Color.white); 
chooser.setCurrentDirectory(new java.io.File("D:\\")); 


chooser.setFileSelectionMode(javax.swing.JFileChooser. DIRECTORIES ONLY) 


3 


// Show open dialog; this method does not return until the dialog is closed: 
int result = chooser.showOpenDialog(this); 
//int result = jFileChooser1.showOpenDialog(this); 


// Determine which button was clicked to close the dialog: 
switch (result) { 
case JFileChooser.APPROVE_OPTION: 
File selFile = chooser.getSelectedFile(); 
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jTextField2.setText(selFile.getAbsolutePath()); 
break; 

case JFileChooser.CANCEL_OPTION: 
// Cancel or the close-dialog icon was clicked: 
break; 

case JFileChooser.ERROR_OPTION: 
// The selection process did not complete successfully: 
break; 

} 
} 


private void jTextField2MouseClicked(java.awt.event.MouseEvent evt) { 
// TODO add your handling code here: 


} 


private void jButton3MouseClicked(java.awt.event.MouseEvent evt) { 
// TODO add your handling code here: 
String filename = jTextField1.getText(); 
JFileChooser chooser = new JFileChooser(new File(filename)); 
chooser.setApproveButtonT ext("Ok"); 
chooser.setApproveButtonToolTipText("Press OK after selecting a source 
directory"); 
chooser.setBackground(java.awt.Color.white); 
chooser.setCurrentDirectory(new java.io.File("D:\\")); 


chooser.setFileSelectionMode(javax.swing.JFileChooser. DIRECTORIES ONLY) 


3 


// Show open dialog; this method does not return until the dialog is closed: 
int result = chooser.showOpenDialog(this); 
//int result = jFileChooser1.showOpenDialog(this); 


// Determine which button was clicked to close the dialog: 
switch (result) { 
case JFileChooser.APPROVE_OPTION: 
File selFile = chooser.getSelectedFile(); 
jTextField1.setText(selFile.getAbsolutePath()); 
break; 
case JFileChooser.CANCEL_OPTION: 
// Cancel or the close-dialog icon was clicked: 
break; 
case JFileChooser.ERROR_OPTION: 
// The selection process did not complete successfully: 
break; 
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private void jButton2ActionPerformed(java.awt.event.ActionEvent evt) { 
// TODO add your handling code here: 
setVisible(false); 
new PathChooser(network, outputDirString).setVisible(true); 
} 


private void jTextField1 MouseClicked(java.awt.event.MouseE vent evt) { 
// TODO add your handling code here: 


} 


private void jButton2MouseClicked(java.awt.event.MouseEvent evt) { 
// TODO add your handling code here: 
//if (jButton2.) 


} 


private void jLabel1 PropertyChange(java.beans.PropertyChangeEvent evt) { 
// TODO add your handling code here: 


} 


private void jButton1 MouseClicked(java.awt.event.MouseEvent evt) { 
// TODO add your handling code here: 

try { 
String input = jTextField1.getText(); 
File inputDir = new File(input); 
String output = jTextField2.getText(); 
outputDirString = output; 
File outputDir = new File(output); 
network = new NetworkConfig(); 
new Parser(network, inputDir, outputDir); 
jLabel1.setText("Parsing completed and network files saved to 

output); 

jLabel6.setText("Step 3 : Click on Calculate Reachability Bounds"); 
jButton2.setEnabled(true); 

} catch (Exception e) { 
System.out.printin ("Program Error - " + e); 
JFrame frame = new JFrame(); 
JOptionPane.showMessageDialog(frame,"Error - "+ e, 

"Program Error", JOptionPane.ERROR_MESSAGE); 
} 


} 


private void jButton1 ActionPerformed(java.awt.event.ActionEvent evt) { 
// TODO add your handling code here: 
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} 


igs 
* @param args the command line arguments 
*/ 
public static void main(String args[]) { 
java.awt.EventQueue.invokeLater(new Runnable() { 
public void run() { 
new ParserGUI().setVisible(true); 


}); 
} 


// Variables declaration - do not modify 
private javax.swing.JButton jButton1; 
private javax.swing.JButton jButton2; 
private javax.swing.JButton jButton3; 
private javax.swing.JButton jButton4; 
private javax.swing.JButton jButton5; 
private javax.swing.JButton jButton6; 
private javax.swing.JLabel jLabel1; 

private javax.swing.JLabel jLabel2; 

private javax.swing.JLabel jLabel3; 

private javax.swing.JLabel jLabel4; 

private javax.swing.JLabel jLabel5; 

private javax.swing.JLabel jLabel6; 

private javax.swing.JLabel jLabel7; 

private javax.swing.JPanel jPanel2; 

private javax.swing.JPopupMenu jPopupMenut; 
private javax.swing.JSeparator jSeparator1; 
private javax.swing.JTextField jTextField1; 
private javax.swing.JTextField jTextField2; 
// End of variables declaration 
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J. PATHCHOOSER.JAVA 


package StaticReachabilityAnalysis; 

ia 

* PathChooser.java 

* Created on November 18, 2006, 1:35 AM 
ay 


fe 

* @author user 

o 

import java.util.*; 
import java.io.*; 
import javax.swing.”*; 


public class PathChooser extends javax.swing.JFrame { 
NetworkConfig theNetwork = new NetworkConfig(); 
String theOutputDir; 


/** Creates new form PathChooser */ 
public PathChooser(NetworkConfig network, String outputDir) { 


initComponents(); 
/* Populate the 2 combo boxes with the list of routers parsed earlier */ 
Enumeration routerList = network.tableOfRouters.keys(); 
String router[] = new String[network.tableOfRouters.size()]; 
for (int i=O ; i < network.tableOfRouters.size(); i++) { 
router[i] = (String) routerList.nextElement(); 
jComboBox1.addltem(router[i]); 
jComboBox2.addltem(router[i]); 


if (network.tableOfRouters.size()>1) jComboBox2.setSelectedIndex(1); 
theNetwork = network; 
theOutputDir = outputDir; 
try{ 
String errorFileName = "Errors Encountered.txt"; 
File errorFile = new File (theOutputDir, errorFileName); 
PrintStream errFile = new PrintStream (errorFile); 
System.setErr(errFile); 
} catch (Exception e) { System.out.println ("Error - " + e); } 


} 


/** This method is called from within the constructor to 
* initialize the form. 
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* WARNING: Do NOT modify this code. The content of this method is 
* always regenerated by the Form Editor. 
| 
// <editor-fold defaultstate="collapsed" desc=" Generated Code "> 
private void initComponents() { 

jDialog1 = new javax.swing.JDialog(); 

jDialog2 = new javax.swing.JDialog(); 

jComboBox1 = new javax.swing.JComboBox(); 

jLabel1 = new javax.swing.JLabel(); 

jLabel2 = new javax.swing.JLabel(); 

jLabel3 = new javax.swing.JLabel(); 

jComboBox2 = new javax.swing.JComboBox(); 

jButton1 = new javax.swing.JButton(); 

jSeparator1 = new javax.swing.JSeparator(); 

jLabel4 = new javax.swing.JLabel(); 

jButton2 = new javax.swing.JButton(); 


org.jdesktop.layout.GroupLayout jDialog1Layout = new 

org.jdesktop.layout.GroupLayout(jDialog1.getContentPane()); 
jDialog1.getContentPane().setLayout(jDialog1 Layout); 
jDialog1Layout.setHorizontalGroup( 


jDialog1Layout.createParallelGroup(org.jdesktop.layout.GroupLayout.LEADING) 
.add(0, 400, Short.MAX_VALUE) 


i 
jDialogiLayout.setVerticalGroup( 


jDialog1Layout.createParallelGroup(org.jdesktop.layout.GroupLayout.LEADING) 
.add(0, 300, Short. MAX_VALUE) 


); 

org.jdesktop.layout.GroupLayout jDialog2Layout 7 new 
org.jdesktop.layout.GroupLayout(jDialog2.getContentPane()); 

jDialog2.getContentPane().setLayout(jDialog2Layout); 

jDialog2Layout.setHorizontalGroup( 


jDialog2Layout.createParallelGroup(org.jdesktop.layout.GroupLayout.LEADING) 
.add(0, 400, Short.MAX_VALUE) 


yi 
jDialog2Layout.setVerticalGroup( 
jDialog2Layout.createParallelGroup(org.jdesktop.layout.GroupLayout.LEADING) 
.add(0, 300, Short. MAX_VALUE) 
i 
setDefaultCloseOperation(javax.swing.WindowConstants.EXIT_ON CLOSE); 
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jLabel1.setText("Source Router"); 
jLabel2.setText("Destination Router"); 


jLabel3.setFont(new java.awt.Font("Arial", 1, 18)); 
jLabel3.setText("REACHABILITY CALCULATION"); 


jButton1.setText("Calculate It !"); 
jButton1 .addActionListener(new java.awt.event.ActionListener() { 
public void actionPerformed(java.awt.event.ActionEvent evt) { 
jButton1 ActionPerformed(evt); 


} 


}); 
jButton1.addMouseListener(new java.awt.event.MouseAdapter() { 
public void mouseClicked(java.awt.event.MouseEvent evt) { 
jButton1 MouseClicked(evt); 


public void mouseReleased(java.awt.event.MouseEvent evt) { 
jButton1 MouseReleased(evt); 


} 
}); 


jLabel4.setText("Select the source and destination routers for path 
calculation, then click \"Calculate It!\""); 


jButton2.setText("Quit"); 
jButton2.addActionListener(new java.awt.event.ActionListener() { 
public void actionPerformed(java.awt.event.ActionEvent evt) { 
jButton2ActionPerformed(evt); 


} 
SE 


org.jdesktop.layout.GroupLayout layout 
org.jdesktop.layout.GroupLayout(getContentPane()); 
getContentPane().setLayout(layout); 
layout.setHorizontalGroup( 
layout.createParallelGroup(org.jdesktop.layout.GroupLayout.LEADING) 
.add(jSeparator1, org.jdesktop.layout.GroupLayout.DEFAULT_ SIZE, 598, 
Short. MAX_VALUE) 
.add(layout.createSequentialGroup() 
.addContainerGap() 
.add(jLabel4, org.jdesktop.layout.GroupLayout.DEFAULT_ SIZE, 578, 
Short. MAX_VALUE) 
.addContainerGap()) 
.add(layout.createSequentialGroup() 
.add(38, 38, 38) 


new 
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.add(layout.createParallelGroup(org.jdesktop.layout.GroupLayout.LEADING) 
.add(jLabel1) 
.add(jLabel2)) 
.add(69, 69, 69) 


.add(layout.createParallelGroup(org.jdesktop.layout.GroupLayout.LEADING, 
false) 
.add(jComboBox2, 0, 
org.jdesktop.layout.GroupLayout.DEFAULT_ SIZE, Short. MAX_VALUE) 
.add(jComboBox1, 0, 347, Short. MAX_VALUE)) 
.addContainerGap(54, Short. MAX_VALUE)) 
.add(org.jdesktop.layout.GroupLayout. TRAILING, 
layout.createSequentialGroup() 
.addContainerGap(165, Short. MAX_VALUE) 


.add(layout.createParallelGroup(org.jdesktop.layout.GroupLayout.LEADING) 
.add(layout.createSequentialGroup() 
.add(jButton1 ) 
.add(102, 102, 102) 
.add(jButton2)) 
.add(jLabel3)) 
.add(163, 163, 163)) 
); 
layout.setVerticalGroup( 
layout.createParallelGroup(org.jdesktop.layout.GroupLayout.LEADING) 
.add(org.jdesktop.layout.GroupLayout. TRAILING, 
layout.createSequentialGroup() 
.add(24, 24, 24) 
.add(jLabel3) 
.addPreferredGap(org.jdesktop.layout.LayoutStyle.RELATED, 43, 
Short. MAX_VALUE) 


.add(layout.createParallelGroup(org.jdesktop.layout.GroupLayout.BASELINE) 

.add(jLabel1) 

.add(jComboBox1, 
org.jdesktop.layout.GroupLayout.PREFERRED_ SIZE, 
org.jdesktop.layout.GroupLayout.DEFAULT_SIZE, 
org.jdesktop.layout.GroupLayout.PREFERRED_SIZE)) 

.add(20, 20, 20) 


.add(layout.createParallelGroup(org.jdesktop.layout.GroupLayout.BASELINE) 
.add(jLabel2) 
.add(jComboBox2, 
org.jdesktop.layout.GroupLayout.PREFERRED_ SIZE, 
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org.jdesktop.layout.GroupLayout.DEFAULT_SIZE, 
org.jdesktop.layout.GroupLayout.PREFERRED_SIZE)) 
.add(50, 50, 50) 


.add(layout.createParallelGroup(org.jdesktop.layout.GroupLayout.BASELINE) 
.add(jButton1) 
.add(jButton2)) 

.add(36, 36, 36) 

.add(jSeparator1, 
org.jdesktop.layout.GroupLayout.PREFERRED_ SIZE, 10, 
org.jdesktop.layout.GroupLayout.PREFERRED_ SIZE) 

.addPreferredGap(org.jdesktop.layout.LayoutStyle. RELATED) 

.add(jLabel4, org.jdesktop.layout.GroupLayout.PREFERRED_ SIZE, 
14, org.jdesktop.layout.GroupLayout.PREFERRED_ SIZE) 

.addContainerGap()) 

); 


pack(); 
// </editor-fold> 


private void jButton1 MouseReleased(java.awt.event.MouseEvent evt) { 
// TODO add your handling code here: 
jLabel4.setText("Reachability calculations in progress ...... ae 
// disable the "Calculate It" button while calculations are ongoing 
jButton1.setEnabled(false); 


} 


private void jButton1 ActionPerformed(java.awt.event.ActionEvent evt) { 
// TODO add your handling code here: 


} 


private void jButton2ActionPerformed(java.awt.event.ActionEvent evt) { 
// TODO add your handling code here: 
System.exit(0); 
} 


private void jButton1 MouseClicked(java.awt.event.MouseEvent evt) { 
// TODO add your handling code here: 
ComputeNow(); 
jButton1.setEnabled(true); 
} 


[ERR RER AERIAL EEE AREER REALE ERAS SERRA REALE KEELE RAE ERERE EE EEA TERE REELS EERE 


* 


* Run the reachability computation code 
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REPRE ARETE RS RAE LEEK ERE ARES EEA E ES ARES EEE AE SEARLES RARE 


void ComputeNow(){ 
// Path Calculations 
int source = jComboBox1.getSelectedIndex(); 
int destination = jComboBox2.getSelectedIndex(); 
boolean successComputeNows=false; 
boolean successFileSave=false; 
[RRR ERER ERE RERE REEL RES REERE EEE ERE ERE ER EERE E 
* lf the source and destination routers selected are the same, pop up error 
dialog box 
* Reachability computations will not be run 
RETA A ER EEE AREAS EESREEE LEAS EE ERASERS EE eee | 
if (Source==destination) { 
JFrame frame = new JFrame(); 
JOptionPane.showMessageDialog(frame, 
"Source and destination routers must not be the same !", 
"Selection Error", JOptionPane.ERROR_MESSAGE); 
} 
else { 
String sourceName = (String) jComboBox1.getSelectedltem(); 
String destinationName = (String) jComboBox2.getSelectedltem(); 
PacketSet rUB = new PacketSet(); 
PacketSet rLB = new PacketSet(); 
[PERERA RRRARERAELE RES EEEAE 
* Display reachability calculation information on default 
system.out display 
RALEE RARE EASA ERE RELA ARES | 
System.out.printin("======= Calculating Reachability ======="); 
rUB = rUB. InitializePath(theNetwork,source, destination, rLB); 
System.out.printin("\r\nReachability Upper Bound from " + source + 
"to" + destination +": "+ rUB); 


[REE ERASE ARAB ERE LEE EE REE EE 


* Save reachability calculation results to a file in the output directory 
RES TEREAERSA SE SAESTEEMERS AE | 
String outputFileName = "Reachability from " + sourceName 
+ "to" +destinationName + ".txt"; 
try { 
File outputFile = new File (theOutputDir, outputFileName); 
PrintWriter outFile = new PrintWriter (outputFile); 
outFile.printin("Reachability Upper Bound from " + sourceName +" to" 
+ destinationName +" :" + "\r\n"); 
outFile.printin(rUB); 
[ER ESEEEEEERERERS EREES RLB Section disabled 
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outFile.printin(); 
outFile. println("-------------------------------------------------- a 
outFile.printin("Reachability Lower Bound from "+ sourceName + " to" 
+ destinationName + ":" + "\r\n"); 
outFile.printin(rLB); 
*/ 
outFile.close(); 
successFileSave = true; 
} catch (Exception e) { System.out.printin ("Error - " + e); } 


successComputeNow = true; 


[PREPARERS EEE EERE 


* Display status of reachability calculations in GUI 
REAR EEA RAR RS RARER EE) 
if (successComputeNow && successFileSave) 

jLabel4.setText("Reachability calculations completed and saved to " 

+ theOutputDir); 

else if (successComputeNow) 

jLabel4.setText("Reachability calculations completed” + 

“but could not be saved to " + theOutputDir); 
else jLabel4.setText("Reachability calculations failed. Select the source " + 
"and destination routers for path calculation, then click Calculate It!"); 


} 


[* 
* @param args the command line arguments 
‘7 
public static void main(String args[]) { 
rf java.awt.EventQueue.invokeLater(new Runnable() { 
public void run() { 
new PathChooser().setVisible(true); 


}); 
*/ 
} 


// Variables declaration - do not modify 

private javax.swing.JButton jButton1; 

private javax.swing.JButton jButton2; 

private javax.swing.JComboBox jComboBoxt1; 
private javax.swing.JComboBox jComboBox2; 
private javax.swing.JDialog jDialog1; 

private javax.swing.JDialog jDialog2; 

private javax.swing.JLabel jLabel1 ; 
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private javax.swing.JLabel jLabel2; 

private javax.swing.JLabel jLabel3; 

private javax.swing.JLabel jLabel4; 

private javax.swing.JSeparator jSeparator1; 
// End of variables declaration 
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K. RANGE.JAVA 


package StaticReachabilityAnalysis; 
ye 
* Range.java 


of 
import java.util.*; 
class Range { 


/*String lower; 
String upper;*/ 
long lower; 
long upper; 


/** Creates a new instance of Range */ 
Range() { 
/*lower ="; 
upper = eee 
lower = -1L; 
upper = -1L; 


} 

public String toString () { 
return "[" + lower +","+upper+"]"; 

} 


} 
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L. ROUTERCONFIG.JAVA 


package StaticReachabilityAnalysis; 
ria 
* RouterConfig.java 


* Created on August 16, 2006, 1:20 AM 
* Last modified August 22, 2006 


* Contains the router configuration class 
oy 


import java.util.*; 
import java.io.*; 


class RouterConfig { 

String hostName; // Router name 
Hashtable tableOflnterfaceByNames; // Table of pointers to Interface objects 

// keyed by the interface names 
Hashtable tableOflnterfaceByIPs; // Table of pointers to Interface objects 

// keyed by the interface IPs 
Hashtable tableOfACLs; // Table of pointers to ACLs 
TreeMap mapOfPacketSets; // Map of packet filters in tuple-form 
// Use the ACL numbers as keys to point to the packetfilter objects 


(tuples) 


/** Creates a new instance of RouterConfig */ 

RouterConfig() { 
hostName = null; 
tableOflnterfaceByNames = new Hashtable(); 
tableOflnterfaceByIlPs = new Hashtable(); 
tableOfACLs = new Hashtable(); 
mapOfPacketSets = new TreeMap(new TComp()); 
//\nterface = null; // doesn't work if set to null --> it's a pointer! 


} 


// not used??? 
public String toString() { 
return hostName + "" 
+ tableOflnterfaceByNames + 
+ tableOflnterfaceByIPs + "" 
+ tableOfACLs +"" 
+ mapOfPacketSets + ""; 
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//Do a dump of the RouterConfig object for debugging/checking purposes 
void Debug(RouterConfig a, File outputDir) { 
try { 
String outputFileName = "Router Dump 
".concat(a.hostName.concat(".txt")); 
File Output = new File (outputDir, outputFileName); 
PrintWriter out = new PrintWriter (new BufferedWriter 
(new FileWriter(Output))); 


// Set up debugger object exactly like RouterConfig class 

// This eases checking that the debugger handles everything in the class 
String debugHostName = a.hostName; 

Hashtable debugTableOflnterfaceByNames = a.tableOflnterfaceByNames; 
Hashtable debugTableOflnterfaceBylPs = a.tableOflnterfaceByIPs; 
Hashtable debugTableOfACLs = a.tableOfACLs; 

TreeMap debugMapOfPacketSets = a.mapOfPacketSets ; 


ACLrule debugACLrule; 
LinkedList debugACL; 


InterfaceConfig debugInterfaces; 


out.printIn("Router Config Debugger"); 


out.printin(" Bette vetoed stat es \r\n"); 
out.printin("Host name —: "+ debugHostName + "\r\n"); 
out.println(" eee een n noe 2 ee 5 = " +"\r\n"); 
String acl; 


Set set = debugMapOfPacketSets.entrySet(); 

Iterator aclSet = set.iterator(); 

while (aclSet.hasNext()) { 
Map.Entry mapPS = (Map.Entry) aclSet.next(); 
acl = (String) mapPS.getKey(); 
out.printIn("ACL number = :" + acl); 


debugACL = (LinkedList) debugTableOfACLs.get(acl); 

int LL_size = debugACL.size(); 

out.printin("# of ACL rules :"+LL_size); 

out. DAG ee een de 

out.printIn(debugMapOfPacketSets.get(acl)); 

int counter = 0; 

while(counter < LL_size) { 
debugACLrule = (ACLrule) debugACL.get(counter); 
out.printIn(" Keyword / ACL# :" + debugACLrule.accessList 
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+"/" + debugACLrule.accessListNumber); 

out.printIn(" Keyword / Dyn# : "+ debugACLrule.dynamic 
+"/" +4 debugACLrule.dynamicName); 

out.printin(" Keyword / TOmin : " + debugACLrule.timeout 
+"/"+4debugACLrule.timeoutMinutes); 

out.printin(" Permit or Deny :" + debugACLrule.permitDeny); 

out.printIn(" Protocol Range : "+ debugACLrule.protocolLower + 
"/" + debugACLrule.protocolUpper); 

out.printIn(" Src / Wildcard : "+ debugACLrule.source 
+"/" +4 debugACLrule.sourceWildcara); 

out.printIn(" Src Port Range :" + debugACLrule.sourcePortLower + 
"/" + debugACLrule.sourcePortUpper); 

out.printIn(" Dest / Wildcard : " + debugACLrule.destination 
+"/" + debugACLrule.destinationWildcard ); 

out.printIn(" Dest Port Range : "+ debugACLrule.destinationPortLower 
+"/" + debugACLrule.destinationPortUpper); 

out.printIn(" Keyword / Prec# : " + debugACLrule.precedenceKeyword 
+"/" +4 debugACLrule.precedence); 

out.printin(" Keyword/ TOS :"+ debugACLrule.tosKeyword 
+"/" +4 debugACLrule.tos); 

out.printin(" Keyword/Log :"+debugACLrule.logkKeyword 
+"/"+4 debugACLrule.logInput); 


7 " KEKKRKKKKEKKEKKKRKEKEKRKEREKRKEKKKREKKRKEKKKEWY L 
out. printin( 


counter++; 


} 

//if (ACL_number.hasMoreElements()) 

if (aclSet.hasNext()) 
Out.printhn("+++++++++++4+4+ + +++ 44+ttt+++ttttt+ttttt+4444\rin'); 

else out.printin(); 


} 


out.println("----------------------------------------------- "4"\r\n"); 


// Objects within become a set?!! 
String interfaceName; 
Enumeration interfaceProperties = debugTableOflnterfaceByNames.keys(); 
while(interfaceProperties.nhasMoreElements()) { 
interfaceName = (String) interfaceProperties.nextElement(); 
out.printin("Interface name : " + interfaceName); 


debugInterfaces = (InterfaceConfig) 
debugTableOflnterfaceByNames.get(interfaceName); 


out.printiIn("IP address =: " + debuglnterfaces.ipAddress); 
out.printin("IP mask :" + debugInterfaces.ipMask); 
out.printIn("Neighbors :" + debugInterfaces.neighbors); 
out.printin("In Filters: " + debugInterfaces.inFilters); 
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out.printIn("Out Filters =: " + debugInterfaces.outFilters); 
out.printin(); 


} 
out.println("----------------------------------------------- "4"\r\n"); 


String Interface_IP; 
Enumeration interfaceProperties_2 = debugTableOflnterfaceBylPs.keys(); 
while(interfaceProperties_2.hasMoreElements()) { 
Interface_IP = (String) interfaceProperties_2.nextElement(); 
out.printin("Interface IP_ :" + Interface_IP); 


debugInterfaces = (InterfaceConfig) 
debugTableOflnterfaceByIPs. get(Interface_ IP): 
out.printin("Interface name :" + debugInterfaces.interfaceName); 
out.printin("IP mask :" + debugInterfaces.ipMask); 
out.printIn("Neighbors :" + debugInterfaces.neighbors); 
out.printin("In Filters = :" + debugInterfaces.inFilters); 
( 
( 


out.printIn("Out Filters :" + debugInterfaces.outFilters); 
out.printin(); 


} 


out.close(); 
} catch (Exception e) { System.out.println ("Error - " + e); } 


} 
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M. TCOMP.JAVA 


package StaticReachabilityAnalysis; 
via 
* TComp.java 


ei 
import java.util.*; 
class TComp implements Comparator { 


// This Comparator overrides the default compare function 
// Used for the TreeMap in RouterConfig 
// Enables correct sorting of the ACL number string 
public int compare (Object a, Object b) { 
int aValue, bValue; 


aValue = Integer.valueOf((String) a) ; 
bValue = Integer.valueOf((String) b); 

// if ais smaller than b, then a will come first 
return (aValue-bValue); 


} 


/** Creates a new instance of TComp */ 
TComp() { 
} 
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N. TUPLE.JAVA 


package StaticReachabilityAnalysis; 
ria 
* Tuple.java 


| 
import java.util.*; 
class Tuple { 


Range sourcelP; 
Range sourcePort; 
Range destinationIP; 
Range destinationPort; 
Range protocol; 


/** Creates a new instance of Tuple */ 
Tuple() { 


sourcelP = new Range(); 
sourcePort = new Range(); 
destinationIP = new Range(); 
destinationPort = new Range(); 
protocol = new Range(); 


} 


public String toString () { 
PacketSet pS = new PacketSet(); 
return "["" + pS.convertIntegertolP(sourcelP.lower) +", "+ 
pS.convertIntegertolP(sourcelP.upper) +" ];"+ 
"[ "+ sourcePort.lower +", "+ SourcePort.upper + "] 5" + 
"[" + pS.convertintegertolP(destinationIP.lower) +", "+ 
pS.convertIntegertolP(destinationIP.upper) +"];"+"["+ 


destinationPort.lower +" ," + destinationPort.upper + "];"+ 
"[" + protocol.lower + A 


, "+ protocol.upper + "]"; 
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APPENDIX D. PACKETSET EFFICIENCY ANALYSIS 





























































































































% of Total ACL Total 
Router # ee eee . ze oe ee PacketSets to rules per PacketSets per 
ACL rules router router 

1 0 0 0 0.0% 0 0 
2 1 1 1 100.0% 1 1 
3 44 3 1 33.3% 409 811 

7 6 85.7% 

2 1 50.0% 

6 6 100.0% 

5 5 100.0% 

2 1 50.0% 

2 1 50.0% 

13 9 69.2% 

8 6 75.0% 

2 4 200.0% 

15 10 66.7% 

2 2 100.0% 

8 4 50.0% 

7 6 85.7% 

9 16 177.8% 

5 6 120.0% 

9 16 177.8% 

9 6 66.7% 

2 2 100.0% 

3 2 66.7% 

7 16 228.6% 

22 68 309.1% 

10 28 280.0% 

7 17 242.9% 

4 2 50.0% 

8 20 250.0% 

9 25 277.8% 

4 3 75.0% 

5 6 120.0% 

13 40 307.7% 

9 24 266.7% 

15 42 280.0% 

13 40 307.7% 

14 42 300.0% 

17 50 294.1% 

9 24 266.7% 

10 18 180.0% 

23 80 347.8% 

56 97 173.2% 
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of ACLs 
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ACL rules 


Number of 
PacketSets 


% of 


PacketSets to 
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Total ACL 
rules per 
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Number |Number of| Number of % of Total ACL Total 
Router #) of ACLs | ACL rules |PacketSets ie eeariies piel al Baateaie ny per 

9 8 88.9% 

1 1 3 1 33.3% 3 1 
3 1 33.3% 
6 6 100.0% 
5 5 100.0% 
2 1 50.0% 
13 9 69.2% 
8 6 75.0% 
4 12 300.0% 
5 16 320.0% 
6 16 266.7% 
5 10 200.0% 
9 10 200.0% 
5 10 200.0% 
9 10 200.0% 
5 10 200.0% 
9 11 122.2% 
8 20 250.0% 

" F 5 10 200.0% ete 345 
5 10 200.0% 
Z 2 28.6% 
9 10 200.0% 
5 10 200.0% 
Z 20 285.7% 
5 10 200.0% 
7 16 228.6% 
10 28 280.0% 
5 10 200.0% 
1 1 100.0% 
10 10 100.0% 
5 10 200.0% 
7 16 228.6% 
23 24 104.3% 
7 5 71.4% 
i 6 85.7% 
30 12 40.0% 
6 6 100.0% 

ae ? 4 1 25.0% eS 86 
10 24 240.0% 
8 37 462.5% 

18 22 3 1 33.3% 82 69 
2 1 50.0% 
2 2 100.0% 
2 2 100.0% 
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TOTAL 


204 


1332 


2245 


168.54% 


1332 


2245 





MEAN 


10.20 


6.47 


10.90 


127.53% 


66.60 


112.25 





STD DEV 


11.30 


6.23 


19.89 


115.04% 


94.48 


192.68 





MAX 


44.00 


56.00 


136.00 
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409.00 


811.00 








MIN 





0.00 





0.00 
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0.00 





0.00 
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